MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80
SHA3-384 hash:	2a7177611c5946ebdc567f7291ebab77358bd82d530388f1d4127349f47bbd72ab438c4c2b47aceff70a4134bd4a20f8
SHA1 hash:	a225211fa273840abea50dc9e9ea590370f2ea31
MD5 hash:	f27a1a0e823b72e6a83baa4d938b965c
humanhash:	victor-connecticut-monkey-kilo
File name:	Order-20200814-pdf.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	977'408 bytes
First seen:	2020-08-13 11:38:20 UTC
Last seen:	2020-08-13 13:22:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	63ffa342653757fae1740debddf4f48a (5 x ModiLoader, 1 x RemcosRAT)
ssdeep	12288:HxtU/mq2LfX9V9GrGK4Ilr9Yz4sUMgu+Cj/RegBKYEt8XO+/GFAlNgnPJM:HrHLfNDKZ/nyfj/MgB1h5lNgnPW
Threatray	916 similar samples on MalwareBazaar
TLSH	5C25CF1B7A815033DB1B073E8C37969D5F2579617C1888A91EE50F8D9D28E9B30BAC1B
Reporter	abuse_ch
Tags:	exe ModiLoader

abuse_ch

Malspam distributing ModiLoader:

HELO: zkp.co.za
Sending IP: 45.137.22.78
From: Altis Pharmaceuticals <info@zkp.co.za >
Subject: Re: Made-In-China.Com New Quotation and Purchase Invoice for new Order
Attachment: Order-20200814-pdf.z (contains "Order-20200814-pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45150/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Setting a single autorun event

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Setting a global event handler for the keyboard

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/426060

Signature

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Detected Remcos RAT

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-13 09:05:25 UTC

AV detection:

35 of 48 (72.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=skno2jcou6wwrssewytuuoenzr3sxhkly32ofs2dobkv5tbjfsaa._file

Verdict:

malicious

Label(s):

remcos

ModiLoader

4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

ModiLoader

53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e

ModiLoader

7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2

ModiLoader

83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4

ModiLoader

9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db

ModiLoader

a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

ModiLoader

c232e05f633d3e2bd0a1486a955d7f72eb9155408a635666306d922b333809b2

ModiLoader

c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8

ModiLoader

eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2

ModiLoader

+ 906 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos persistence

Link:

https://tria.ge/reports/200813-3r6nahlk1n/

Behaviour

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Remcos

Malware Config

C2 Extraction:

79.134.225.12:60256

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dbatloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator