modiloader | 3826a668ed94df39283862ae7e85757695cf2724531083e068a3947fc052c1a9 | Triage

Sharing

General

Target

JaffaCakes118_3826a668ed94df39283862ae7e85757695cf2724531083e068a3947fc052c1a9
Size

242KB
Sample

241225-r3m6aavrgj
MD5

95a0b0fca69f86d56dea63325c608d2c
SHA1

4aa60674e7853bbfa7d891f6ad119f0699e455b2
SHA256

3826a668ed94df39283862ae7e85757695cf2724531083e068a3947fc052c1a9
SHA512

05fb9f0e86caef4b0cd743a143f463ee6e49e0ea97e0e80118e43d7e45b0db7147a66db6361f722b82307a0b04f3778c0bca961fceb882610aa42acfcff76cba
SSDEEP

6144:oyF/H6PNKON1TaTJmLqg2YCYM1riSNbKFAiCC:oyF/aF0JMjZ2rikS

Score

10^/10

modiloader remcos aaaaaaaaaaa discovery persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

AAAAAAAAAAA

C2

incidencias6645.ddns.net:8638

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-Y8P2FO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  PDF 86812376724_PO.exe
- Size
  
  561KB
- MD5
  
  28fdba7295380d922ef4db0deda34705
- SHA1
  
  69a33211d1b5b375e886bfb2ab2eadad79e1f61c
- SHA256
  
  95935a1ae37717226eb2b3d7c53a97cdabe5e9b28d370237f7badef2820ff29b
- SHA512
  
  664244459e0da68779b567ea297909169b2f9f9852d1664c8b18bfdc239b4342723cee2b21c4fd631cee9ef2e37354368a19ada74af34db9fb4319b1be684ca3
- SSDEEP
  
  12288:iP2oEhUMrM7FX/SdjY3ZrL26hnkKVJxgkI+:iuzUMrYXaBKX1kKVEkI
Score

10^/10

modiloader remcos aaaaaaaaaaa discovery persistence rat trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- ModiLoader Second Stage
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

modiloaderremcosaaaaaaaaaaadiscoverypersistencerattrojan

behavioral2

modiloaderremcosaaaaaaaaaaadiscoverypersistencerattrojan