MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f
SHA3-384 hash: 9b13253fed6cb917a8007ad050968b10872f2e92793f758802cae0fb9e873621aa9326a553e9fc4cb13f1b4f1d5a66fb
SHA1 hash: 6b91fc02ec694f8c24eb52c1de823ae34460a4c8
MD5 hash: c7089c992c256d32b1a788446baae7ed
humanhash: apart-alaska-wyoming-berlin
File name:IMG_000002_DOCUMENTS_PDF.exe
Download: download sample
Signature ModiLoader
File size:1'063'936 bytes
First seen:2020-07-31 11:47:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f8d030b3c71bda34357bf4893006423
ssdeep 12288:Lq6ZMSNeFVGYR+HiZRQjcZC8gXrC363OTGgjglY8LR:FG7FVzmiZ42C8gOKC
TLSH 61353822BA81C536CCAE0639CC0BFAFC5825BD51AD16953336F97F4F7EB42412926193
Reporter @abuse_ch
Tags:exe ModiLoader


Twitter
@abuse_ch
Malspam distributing ModiLoader:

HELO: mail.greencc.com
Sending IP: 209.59.244.54
From: Tyler Simpson <tsimpson@greencc.com>
Subject: Urgent Purchase Order
Attachment: ScanIMG0001-PDF.z (contains "IMG_000002_DOCUMENTS_PDF.exe")

Intelligence


File Origin
# of uploads :
1
# of downloads :
35
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Remcos
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255343 Sample: IMG_000002_DOCUMENTS_PDF.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 65 g.msn.com 2->65 67 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->67 79 Malicious sample detected (through community Yara rule) 2->79 81 Detected Remcos RAT 2->81 83 Yara detected Remcos RAT 2->83 85 9 other signatures 2->85 9 IMG_000002_DOCUMENTS_PDF.exe 1 16 2->9         started        14 Abwlsec.exe 14 2->14         started        16 Abwlsec.exe 13 2->16         started        signatures3 process4 dnsIp5 71 cdn.discordapp.com 162.159.133.233, 443, 49727 CLOUDFLARENETUS United States 9->71 61 C:\Users\user\AppData\Local\Abwlsec.exe, PE32 9->61 dropped 87 Writes to foreign memory regions 9->87 89 Allocates memory in foreign processes 9->89 91 Creates a thread in another existing process (thread injection) 9->91 18 notepad.exe 4 9->18         started        20 ieinstal.exe 2 3 9->20         started        73 162.159.130.233, 443, 49742, 49751 CLOUDFLARENETUS United States 14->73 75 192.168.2.1 unknown unknown 14->75 93 Injects a PE file into a foreign processes 14->93 23 notepad.exe 4 14->23         started        25 ieinstal.exe 14->25         started        27 notepad.exe 4 16->27         started        30 ieinstal.exe 16->30         started        file6 signatures7 process8 dnsIp9 32 cmd.exe 1 18->32         started        35 cmd.exe 1 18->35         started        69 79.134.225.12, 49734, 49735, 49736 FINK-TELECOM-SERVICESCH Switzerland 20->69 37 cmd.exe 1 23->37         started        39 cmd.exe 23->39         started        63 C:\Users\Public63atso.bat, ASCII 27->63 dropped 41 cmd.exe 27->41         started        43 cmd.exe 27->43         started        file10 process11 signatures12 77 Uses cmd line tools excessively to alter registry or file data 32->77 45 conhost.exe 32->45         started        47 reg.exe 1 1 32->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        53 reg.exe 37->53         started        55 conhost.exe 39->55         started        57 conhost.exe 41->57         started        59 reg.exe 41->59         started        process13
Threat name:
Win32.Trojan.Bluteal
Status:
Malicious
First seen:
2020-07-31 11:48:10 UTC
AV detection:
16 of 31 (51.61%)
Threat level
  5/5
Result
Malware family:
remcos
Score:
  10/10
Tags:
rat family:remcos persistence
Behaviour
Modifies system certificate store
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:win_dbatloader_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments