MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08fe7e61eafc062a5f50981fae0f578442cdfd31a00e2398389c8bea37485f02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: 08fe7e61eafc062a5f50981fae0f578442cdfd31a00e2398389c8bea37485f02
SHA3-384 hash: 5e306e0194622a6ea7facd9c2e7b86381d9c06ba44a6940d5caf744a68d7780ac9243eac85f5e32c297ec6c4df27b09e
SHA1 hash: d48b28ebb1a010eae20a10aa4d1d6c5a79ea6f96
MD5 hash: 24c2540e588585a4daf8b3fe1112a78d
humanhash: stairway-wyoming-green-uniform
File name:24c2540e588585a4daf8b3fe1112a78d.exe
Download: download sample
Signature ModiLoader
File size:1'064'650 bytes
First seen:2020-07-31 11:11:19 UTC
Last seen:2020-08-02 07:34:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f8d030b3c71bda34357bf4893006423
ssdeep 12288:/q6ZMSNeFVGYR+HiZRQjcZC8gXrC363OTGgjglY8nRM:JG7FVzmiZ42C8gOKCV
TLSH 78353822BA81C536CCAE0639CC0BFAFC5825BD51AD16953336F97F4F7EB42412926193
Reporter @abuse_ch
Tags:exe ModiLoader nVpn RAT RemcosRAT


Twitter
@abuse_ch
ModiLoader dropping RemcosRAT

RemcosRAT C2:
karimgoussd.ug (79.134.225.49)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence


File Origin
# of uploads :
3
# of downloads :
30
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
Remcos
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Keylogger Generic
Yara detected Remcos RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255320 Sample: R8IaYkCPbJ.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 92 47 fgdjhksdfsdxcbv.ru 2->47 49 karimgoussd.ug 2->49 51 2 other IPs or domains 2->51 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Yara detected Remcos RAT 2->71 73 3 other signatures 2->73 9 R8IaYkCPbJ.exe 1 15 2->9         started        14 Prhcsec.exe 14 2->14         started        16 Prhcsec.exe 14 2->16         started        signatures3 process4 dnsIp5 59 googlehosted.l.googleusercontent.com 216.58.214.193, 443, 49721, 49740 GOOGLEUS United States 9->59 61 doc-04-3c-docs.googleusercontent.com 9->61 45 C:\Users\user\AppData\Local\Prhcsec.exe, PE32 9->45 dropped 75 Writes to foreign memory regions 9->75 77 Allocates memory in foreign processes 9->77 79 Creates a thread in another existing process (thread injection) 9->79 18 ieinstal.exe 1 9->18         started        21 notepad.exe 4 9->21         started        63 doc-14-0g-docs.googleusercontent.com 14->63 81 Injects a PE file into a foreign processes 14->81 23 notepad.exe 4 14->23         started        25 ieinstal.exe 14->25         started        65 doc-14-0g-docs.googleusercontent.com 16->65 27 notepad.exe 16->27         started        file6 signatures7 process8 dnsIp9 53 fgdjhksdfsdxcbv.ru 18->53 55 karimgoussd.ug 79.134.225.49, 49734, 49735, 49736 FINK-TELECOM-SERVICESCH Switzerland 18->55 57 192.168.2.1 unknown unknown 18->57 29 cmd.exe 1 21->29         started        31 cmd.exe 1 21->31         started        33 cmd.exe 1 23->33         started        35 cmd.exe 1 23->35         started        process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        41 conhost.exe 33->41         started        43 conhost.exe 35->43         started       
Threat name:
Win32.Trojan.Ymacco
Status:
Malicious
First seen:
2020-07-31 08:15:11 UTC
AV detection:
18 of 31 (58.06%)
Threat level
  5/5
Result
Malware family:
remcos
Score:
  10/10
Tags:
persistence rat family:remcos
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Remcos
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:win_dbatloader_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_remcos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 08fe7e61eafc062a5f50981fae0f578442cdfd31a00e2398389c8bea37485f02

(this sample)

  
Delivery method
Distributed via web download

Comments