{
	"id": "278e5de4-99fb-43f0-8d1f-e4741bd8e245",
	"created_at": "2026-04-06T00:21:29.348549Z",
	"updated_at": "2026-04-10T13:11:53.828743Z",
	"deleted_at": null,
	"sha1_hash": "051f31a1373e319d63d698309d4bee2bc1c7e304",
	"title": "Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1838270,
	"plain_text": "Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 18:48:21 UTC\r\nIntroduction\r\nAlso known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT,\r\nRemcos RAT, or other types of malware.  Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-\r\n05-29.\r\nShown above:  Flow chart for the ModiLoader Remcos RAT infection on Monday 2023-05-29.\r\nEmail\r\nI caught the email in one of my honeypot accounts on Monday 2023-05-29 at 4:14 UTC.  These messages often spoof\r\ncompanies sending invoices or purchase orders.  This campaign didn't appear to be specifically targeted at my honeypot\r\naccount.\r\nShown above:  Screenshot of the email distributing ModiLoader for Remcos RAT on Monday 2023-05-29.\r\nhttps://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nPage 1 of 7\n\nThe email contains an ISO image presented as a purchase order.  The ISO image contains a Windows executable (EXE) file\r\nfor ModiLoader.  The EXE file icon impersonates an Excel spreadsheet.\r\nShown above:  The attached ISO image contains a malicious Windows EXE file for ModiLoader.\r\nThis ModiLoader EXE will infect a vulnerable Windows host with Remcos RAT.  Let's look at the infection traffic.\r\nInfection Traffic\r\nThe ModiLoader EXE first generated a OneDrive URL using HTTP over TCP port 80. This redirected to an HTTPS version\r\nof the same URL over TCP port 443.\r\nShown above:  Traffic from an infection filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nPage 2 of 7\n\nShown above:  Initial traffic generated by ModiLoader redirected to an HTTPS version of the same URL.\r\nThe OneDrive URL returned a base64 text file, approximately 4.3 MB in size.  I retrieved a copy of it by entering the URL\r\nin a web brower.\r\nShown above:  Using a web browser to retrieve base64 text file returned from OneDrive URL generated by the ModiLoader\r\nEXE.\r\nShortly after ModiLoader retrieved the base64 text file, my infected host started generating TLSv1.3 infection traffic to a\r\nserver at 146.70.158[.]105 over TCP port 9138.  Online sandbox analysis indicates this is Remcos RAT traffic, so I'm\r\ncalling 146.70.158[.]105 a Remcos RAT C2 server.\r\nhttps://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nPage 3 of 7\n\nShown above:  Wireshark showing TLSv1.3 traffic from the infected Windows host.\r\nNo domain is associated with this Remcos RAT C2 server.  Checking it in a web browser revealed the server used a self-signed certificate.  No identification fields were used for this self-signed certificate.\r\nShown above:  Info about self-signed certificate used for TLSv1.3 traffic to the Remcos RAT C2 server.\r\nAt least 49 MB of data was sent from the infected Windows host to the Remcos RAT C2 server, as shown below when\r\nviewing TCP conversation statistics of the traffic in Wireshark.\r\nhttps://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nPage 4 of 7\n\nShown above:  TCP conversation statistics in Wireshark reveal the infected host sent at least 49 MB of data to the Remcos\r\nRAT C2 server.\r\nThe infected Windows host also checked its location using geoplugin.net, which is a legitimate service.\r\nForensics on the Infected Windows Host\r\nThis infection was made persistent through the Windows registry key at\r\nHKCU\\sofware\\Microsoft\\Windows\\CurrentVersion\\Run.  Persistent files were stored in the host's\r\nC:\\Users\\Public\\Libraries directory.\r\nShown above:  ModiLoader/Remcos RAT files persistent on the infected Windows host.\r\nIndicators of Compromise (IOCs)\r\nSome headers from the email:\r\nReturn-Path: \u003cwilliam.cheng@foodicon[.]com[.]sg\u003e\r\nReceived: from cp2-de1.host-global[.]net (cp2-de1.host-global[.]net [88.99.82[.]246])\r\n for \u003c[recipient's email address]\u003e; Mon, 29 May 2023 04:14:43 +0000 (UTC)\r\nReceived: from ec2-3-135-201-214.us-east-2.compute.amazonaws[.]com ([3.135.201[.]214]:55643)\r\n by cp2-de1.host-global[.]net with esmtpa (Exim 4.96)\r\n Mon, 29 May 2023 06:14:35 +0200\r\nFrom: PT Sree International Indonesia \u003cinfo@ptsreint[.]co[.]id\u003e\r\nSubject: New Inquiry/Purchase Order June 2023\r\nDate: 29 May 2023 04:14:33 +0000\r\nMessage-ID: \u003c20230529041433.6E03B75D7043B6B7@ptsreint[.]co[.]id\u003e\r\nhttps://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nPage 5 of 7\n\nTraffic from an infected Windows host:\r\nhxxp://onedrive.live[.]com/download?\r\ncid=477DD5F55B8A76A6\u0026resid=477DD5F55B8A76A6%21132\u0026authkey=AHpfAKNpV3kAUSU\r\nhxxps://onedrive.live[.]com/download?\r\ncid=477DD5F55B8A76A6\u0026resid=477DD5F55B8A76A6%21132\u0026authkey=AHpfAKNpV3kAUSU\r\nhxxps://u7xd4q.bn.files.1drv[.]com/y4mnljoeykY0rqANGppY0yGovJuGPFqCUKN1PI2BK5j71L0nAtxaBfppI5gHLhyPiXM3swFe-quRw1e41cGALOL4QoSWpyud0yDeU-ImxNuXWR9bIksaWiXsgL2UyTD2D2DtHZaxPuuqz7hy09zjLvcrr_HTTMA8fF4iRUQ1H6Bjm6lTFEK9eLm6t5M9xXenlHLDiE4qye22jg5SWe\r\ndownload\u0026psid=1\r\n146.70.158[.]105 port 9138 - TLSv1.3 traffic for Remcos RAT\r\nhxxp://geoplugin.net/json.jp  \u003c-- IP address/location check of the infected host\r\nMalware from the infected Windows host:\r\nSHA256 hash: f69e25c8c6d512b60024504124d46cfbf08741bc7f53104466d1483f034a73e4\r\nFile size: 1,638,400 bytes\r\nFile name: Urgent Inquiry_Purchase order June 2023_PDF.iso\r\nFile description: Email attachment, an ISO disk image containing DBatLoader/ModiLoader EXE\r\nSHA256 hash: de33fd9d4c89f8d5ffad69cb7743922d8d22f54890f9ca69161edce001cba9ad\r\nFile size: 1,047,552 bytes\r\nFile name: Urgent Inquiry_Purchase order June 2023_PDF.exe\r\nPersistent file location: C:\\Users\\Public\\Libraries\\Dmzsccoi.exe\r\nFile description: ModiLoader EXE\r\nAnalysis: https://tria.ge/230529-vtyr7sdc5x/behavioral2\r\nAnalysis: https://app.any.run/tasks/8f428a98-e2b5-49ae-a073-b4feb6c9f4ca\r\nAnalysis: https://capesandbox.com/submit/status/393224/\r\nReference: https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader\r\nSHA256 hash: 1d863f9486cef770383b16ed95763abe222b702dafad4e529793288c83fff52f\r\nFile size: 4,289,728 bytes\r\nFile description: Base64 text file retrieved from OneDrive URL generated by ModiLoader malware\r\nFile location: hxxps://onedrive.live[.]com/download?\r\ncid=477DD5F55B8A76A6\u0026resid=477DD5F55B8A76A6%21132\u0026authkey=AHpfAKNpV3kAUSU\r\nSHA256 hash: a2796cc5deaca203fd9c1ed203517c74b8fd516619cd0ded67551f727498dcb3\r\nFile size: 3,217,294 bytes\r\nFile location: C:\\Users\\Public\\Libraries\\Dmzsccoi\r\nFile description: Data binary decoded from above base64 text file\r\nSHA256 hash: 13ad5aa8c9424fd866ea5b5ed6f603983c626f60cdb5b680c98cd046174b4667\r\nFile size: 100 bytes\r\nFile location: C:\\Users\\Public\\Libraries\\ioccszmD.url\r\nFile description: URL file persistent through Windows registry\r\nURL file target: C:\\\\Users\\\\Public\\\\Libraries\\\\Dmzsccoi.exe\r\nSHA256 hash: 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301\r\nFile size: 68,096 bytes\r\nFile location: C:\\Users\\Public\\Libraries\\ioccszmD.pif\r\nFile description: Another Windows EXE used for this infection\r\nFinal Words\r\nThis example of ModiLoader/Remcos RAT was not targeted, nor was it particularly sophisticated.  Emails using ISO\r\nattachments to deliver malware are routinely submitted to VirusTotal.  I did a quick search for the last week of ISO\r\nattachments in VirusTotal, and I found 15 examples.\r\nhttps://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nPage 6 of 7\n\nShown above:  Results of a search for ISO attachments from emails submitted to VirusTotal from 2023-05-22 until the date\r\nof this diary.\r\nA sanitized copy of the email, along with malware/artifacts from the infection, and a packet capture (pcap) of the infection\r\ntraffic are available here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nhttps://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896"
	],
	"report_names": [
		"29896"
	],
	"threat_actors": [],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/051f31a1373e319d63d698309d4bee2bc1c7e304.pdf",
		"text": "https://archive.orkl.eu/051f31a1373e319d63d698309d4bee2bc1c7e304.txt",
		"img": "https://archive.orkl.eu/051f31a1373e319d63d698309d4bee2bc1c7e304.jpg"
	}
}