MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07e5cda497f958cd565e20bf94c41bb5b5efe39425be7a17bfcc7f9cd977655d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07e5cda497f958cd565e20bf94c41bb5b5efe39425be7a17bfcc7f9cd977655d
SHA3-384 hash: 17ea995c15547063978a96248dbb127c789ec29001eb74852d3c82a194d06e8404e8d2cdcba3fd9f69a13a4532ad75b5
SHA1 hash: 4a4dbe32c9d3e4dd251b7fdb8cbc98f26cc2493d
MD5 hash: 64e1ab7b5131170465267769ec54e243
humanhash: kentucky-jersey-tennessee-apart
File name:64e1ab7b5131170465267769ec54e243.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:976'728 bytes
First seen:2020-10-18 10:54:55 UTC
Last seen:2020-10-18 12:14:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 30bcd8b78b734935c5e80cfbc7777835 (2 x NetWire, 2 x ModiLoader)
ssdeep 12288:Hx7VDvuMNzsF9H84exmnccguaBc+LfxKM0GVzYZoNNw2AYJpQL:HxRoFa4ex7cg/3rwFG6L
Threatray 246 similar samples on MalwareBazaar
TLSH 02258D36A3D24833D53316399D1B6779BD3ABE112A28B94A3BF41C4C5F39641383A397
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72647/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494630
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299765 Sample: tvJv6SCHFr.exe Startdate: 18/10/2020 Architecture: WINDOWS Score: 100 37 agentpapple.ac.ug 2->37 39 taenaia.ac.ug 2->39 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Remcos RAT 2->53 55 3 other signatures 2->55 9 tvJv6SCHFr.exe 1 15 2->9         started        14 Ghszdrv.exe 13 2->14         started        16 Ghszdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 45 cdn.discordapp.com 162.159.130.233, 443, 49743 CLOUDFLARENETUS United States 9->45 35 C:\Users\user\AppData\Local\...behaviorgraphhszdrv.exe, PE32 9->35 dropped 57 Writes to foreign memory regions 9->57 59 Allocates memory in foreign processes 9->59 61 Creates a thread in another existing process (thread injection) 9->61 18 ieinstal.exe 1 9->18         started        21 notepad.exe 4 9->21         started        47 162.159.135.233, 443, 49764, 49769 CLOUDFLARENETUS United States 14->47 63 Multi AV Scanner detection for dropped file 14->63 65 Injects a PE file into a foreign processes 14->65 23 ieinstal.exe 14->23         started        25 ieinstal.exe 16->25         started        file6 signatures7 process8 dnsIp9 41 agentpapple.ac.ug 18->41 43 taenaia.ac.ug 79.134.225.121, 49758, 49759, 49760 FINK-TELECOM-SERVICESCH Switzerland 18->43 27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07e5cda497f958cd565e20bf94c41bb5b5efe39425be7a17bfcc7f9cd977655d/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 10:56:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
31963673bc347fe4a6c795c90a0bcbddbf701158feab1b831bce2b082aeacf7f
ModiLoader
43f14fe4f9c4e617842b497b17c1e2884562466bb832d673d987760d1fc4b682
ModiLoader
46ff7f6619eda7e3b2c5b36a2d3f21b154749d31ae2695c4d23c992361ce1f58
ModiLoader
6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9
ModiLoader
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
ModiLoader
99af8a4532410841d87e0840619d50b8726e15ea0ab397fd1d8c6e32bb286486
ModiLoader
bf56d40820f28706fb10861096441d0ec597471ee24ac595707d314d431a6f75
ModiLoader
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
ModiLoader
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
ModiLoader
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
ModiLoader
+ 236 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201018-gt9rbrh1hn/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
07e5cda497f958cd565e20bf94c41bb5b5efe39425be7a17bfcc7f9cd977655d
MD5 hash:
64e1ab7b5131170465267769ec54e243
SHA1 hash:
4a4dbe32c9d3e4dd251b7fdb8cbc98f26cc2493d
Link:
https://www.unpac.me/results/c5625a80-770c-415f-ae97-fb5e76f24aec/
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/c5625a80-770c-415f-ae97-fb5e76f24aec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/07e5cda497f958cd565e20bf94c41bb5b5efe39425be7a17bfcc7f9cd977655d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 07e5cda497f958cd565e20bf94c41bb5b5efe39425be7a17bfcc7f9cd977655d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/72647/
  
URLhaus
https://urlhaus.abuse.ch/url/686530/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/572760/
  
URLhaus
https://urlhaus.abuse.ch/url/447391/
  
URLhaus
https://urlhaus.abuse.ch/url/572754/

Comments