MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13
SHA3-384 hash: 293c0bc0904595856343f68fdf2b5e3c82c68f180ae38cfb0b1b2896e32df1e59bd8f3b2342e49889e2af80dd7c2c543
SHA1 hash: 319b8f5b0425db1c5a59c779a37de9521f725f54
MD5 hash: da0d4bb83ab51ead24a55d299d083fc4
humanhash: leopard-burger-dakota-oscar
File name:SecuriteInfo.com.Win32.Trojan-gen.10971.6318
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'014'784 bytes
First seen:2022-12-09 20:29:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c486cb43059e938238ade9f2b3611a7 (1 x ModiLoader)
ssdeep 24576:TWzVzyNHtl755lAhDmcjmNhMhtrjxLF7ZG/ronB:TWiAdjyh+1lLFMMnB
TLSH T1ED25B022AA61847FC47219748C7BA2EC9825BD207D25F8B37DD43F4DAF39651342B293
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13097/50/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon b0473a2c2c3a47b0 (4 x ModiLoader)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344830/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.10971.6318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/63939acd485d8463dc410b95/reports/54f20d3d-62be-453e-b0d8-93c653eb82e7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/832154fc-c97a-40df-8ddc-cc963662fbb4
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131706
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764430 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 4 other signatures 2->87 10 SecuriteInfo.com.Win32.Trojan-gen.10971.6318.exe 1 23 2->10         started        15 Besqiaez.exe 2->15         started        process3 dnsIp4 65 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->65 67 onedrive.live.com 10->67 69 2 other IPs or domains 10->69 49 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->49 dropped 51 C:\Users\Public\Libraries\Besqiaez.exe, PE32 10->51 dropped 53 C:\Users\...\Besqiaez.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->55 dropped 95 Writes to foreign memory regions 10->95 97 Allocates memory in foreign processes 10->97 99 Creates a thread in another existing process (thread injection) 10->99 17 cmd.exe 3 10->17         started        20 wscript.exe 10->20         started        101 Injects a PE file into a foreign processes 15->101 22 wscript.exe 2 16 15->22         started        file5 signatures6 process7 dnsIp8 73 Uses ping.exe to sleep 17->73 75 Drops executables to the windows directory (C:\Windows) and starts them 17->75 77 Uses ping.exe to check the status of other devices and networks 17->77 25 easinvoker.exe 17->25         started        27 PING.EXE 1 17->27         started        30 xcopy.exe 2 17->30         started        35 6 other processes 17->35 61 pedro2021w.ddns.net 154.12.250.38, 2404, 49718 COGENT-174US United States 22->61 63 geoplugin.net 178.237.33.50, 49719, 80 ATOM86-ASATOM86NL Netherlands 22->63 79 System process connects to network (likely due to code injection or exploit) 22->79 33 WerFault.exe 22->33         started        signatures9 process10 dnsIp11 37 cmd.exe 1 25->37         started        40 WerFault.exe 25->40         started        71 127.0.0.1 unknown unknown 27->71 57 C:\Windows \System32\easinvoker.exe, PE32+ 30->57 dropped 59 C:\Windows \System32\netutils.dll, PE32+ 35->59 dropped file12 process13 signatures14 89 Suspicious powershell command line found 37->89 91 Adds a directory exclusion to Windows Defender 37->91 42 powershell.exe 23 37->42         started        45 conhost.exe 37->45         started        process15 signatures16 93 DLL side loading technique detected 42->93 47 conhost.exe 42->47         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 20:30:10 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbp7wcq3qncbu6metcsldjjv7tt7jfrqjm432vk7ddptm6hrtqjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/221209-y95r8sec28/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
pedro2021w.ddns.net:2404
pedro2021w1.ddns.net:2404
pedro2021w2.ddns.net:2404
newspk.ddns.net:2404
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/420acbbb-58a7-4fd4-a5ca-aa67218c2f0e
Unpacked files
SH256 hash:
5c90e87df09275cfcb46e0452d77e149f3fbc59d55bda76e62e6fa11ae1de693
MD5 hash:
ee94f46ed9b387ad243c36c1cb062686
SHA1 hash:
6e0c4dc795dec2dce9454fbb246afabffd2039fc
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/0321db50-f01f-4290-9efc-7a7c405e9132/
Parent samples :
4ef967caea627a1b9cd7f74d31584b69d76f8c532cee528e8815c4f70ae24aa7
dc35d3d87c8f062b000472a46ec166c5bf8f399f95c02717eab4ce542043afd7
bb01ebad742a61a5aee09777d88a01e627d29171513c335f52c57c41c7e41ef4
0dec26f0ed31eafa41f5141a4342f84f5245ba6d097904ed1fdb11a6df1ce606
c2c6eec67a1561c3a49179ddf756480876d92588c2e83d64246a04c3d724cb3d
f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11
9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e
109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
1fdbc93a0a891ff9ca424bb90bd696140b5918583ad6e0f2fcce012640cde8dd
230b07866371131de12907f26f06a9cfa27762c499f93cae840c198ea9e46846
494e56903190304bab1c27786bd1f60aeaede9b478b2bca17474602414b82688
db399100d63fa87dbc5d6596d2c44749c0cee86ea45d7e81206277c9cdacb9f1
16ba74e590acbf2a285ae1e15864ef7cdeff576542f0f430ab83481ea52b729a
ffa9f3d0e3d4d29b10cba30fe3394d538b8c415e9c29cf36a56990e9204ec7bf
0305b3a95aff122c888a200de747a565208ea19494c8257b0c972084141f42c4
c84d9cb4b4e037cbaf9632d4cdd0f493d2c5e0b5f6308fe97f84f04b501155c8
a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70
e7298f63b0ee46b470e6c7323087e2af9fe4802ed93674d1408f10d03989a7f6
e6303d0730eaecd16e8a3becf77fce3d5da13155d2e27e102ecc2b700ad42814
105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13
ca13eac154ad479e2234deac0f07989db25e4d50c47cdc7f4f31dd7ab71dc087
03daa8dcea75f814b344785dc1f52222cd4461bccc17a35f032efe81e47d18be
6246a9212db799df597fe34bcbeeeb08dad116b7cf3cd4c8037d42d1d0b4256a
aaa28e71ec8aad860fdc9f517c151b85be433e142160341f2aa399d9c60d11cf
f974cf4bda9a65b7a2573726e3808c696f6a5e54b89f08807764d9ab2a06a5c1
b8002e076820615fe2b14369e7d258ff2984cd832a38de4f1450b84813b283c5
de8c5c01bab7e747f3cd3f276d7cf3c839600131987cbcfcd5314f9af6d64b05
7cec52ddbd0c2037de1b4ad9eedcbedbfc005cb558c7f326dcf66c800e7875f1
91dd17921c69af057a78759611885bb04ebc68a9ec38ca08067c496f9e76a241
b0d85d76e52034986c3d4e165a745c04b3af21d1c5692719d1b66bceafc76423
af5ecbd67c2195a72178b6b0a886715d4b28fd064717dd3193a477563c5be6b6
7a91675248e7d9891570e731b1dce694054d9db90f14bb4a74d5a9fd571af758
878257b5d411ceedf80fcab13183bd22ea6183a86c8d5a99a7ff08dd01567fc0
c4cd277e81aec420cdf23a0d5ebff50b0d64dd9c6b3b1942567c263032f64deb
SH256 hash:
abe13dd35e412163dad19c66018f8c0b99f3efce5317cbf1516ed3a43e7e3f3c
MD5 hash:
4ea41bfddfc456c1b78a5061c0da468f
SHA1 hash:
084cf61feaaa1150264764225ef3e111760b5a8e
Link:
https://www.unpac.me/results/0321db50-f01f-4290-9efc-7a7c405e9132/
SH256 hash:
105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13
MD5 hash:
da0d4bb83ab51ead24a55d299d083fc4
SHA1 hash:
319b8f5b0425db1c5a59c779a37de9521f725f54
Link:
https://www.unpac.me/results/0321db50-f01f-4290-9efc-7a7c405e9132/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/105ffb0a1b83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344830/

Comments