MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 18 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664
SHA3-384 hash: 7b808600f1971d4d7d2c22c2a8a9c2c4ae5ac395d9737822df55e18a0febfb1cda487c2e92c72d7b8f5ffc36cfbec11c
SHA1 hash: 2629391b45ae9cb08c5df8dd53bdc7c7f222c171
MD5 hash: c57b287858b87f3528e1366bcb4359e8
humanhash: king-shade-foxtrot-shade
File name:c57b287858b87f3528e1366bcb4359e8
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'302'528 bytes
First seen:2024-06-11 19:27:45 UTC
Last seen:2024-06-11 20:32:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bffdd5eb5270a25052374a6308c08a15 (1 x ModiLoader)
ssdeep 24576:erGbRrkUYzzxxNv4zomYUm2MA5H8g24ZrH:eKKwomY2MA9m2H
Threatray 115 similar samples on MalwareBazaar
TLSH T19255BF22E2A55472D01219799E7B7FBD6B29EE20EC193857BEE03E0D8F7964038341DD
TrID 54.3% (.EXE) InstallShield setup (43053/19/16)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 74f48c88888e88b4 (1 x SnakeKeylogger, 1 x ModiLoader)
Reporter zbetcheckin
Tags:32 exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
351
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664.exe
Verdict:
Malicious activity
Analysis date:
2024-06-11 20:31:45 UTC
Tags:
fileshare rat remcos keylogger
Link:
https://app.any.run/tasks/e1ac6075-f492-4978-8eb1-bb33d4e48d91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.4296.24358.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6668a8c6a439c6d6b08783b8win7simulatehigh_evasion
Tags:
Static Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint keylogger
Link:
https://www.filescan.io/uploads/6668a55d49a1c830626696b7/reports/de634421-051b-48a7-a0cf-f873da76f9ec/overview
Verdict:
Malicious
Labled as:
Win32_TrojanDownloader_ModiLoader_ADD
Link:
https://www.hybrid-analysis.com/sample/119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Starter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9d4e48b-eefa-4756-918d-b7ecfdf60ea3
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455569
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Remcos
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: TrustedPath UAC Bypass Pattern
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455569 Sample: jUcEPYMYZx.exe Startdate: 11/06/2024 Architecture: WINDOWS Score: 100 62 sembe.duckdns.org 2->62 64 onedrive.live.com 2->64 66 5 other IPs or domains 2->66 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for dropped file 2->78 82 15 other signatures 2->82 10 jUcEPYMYZx.exe 1 5 2->10         started        15 Uvewfldq.PIF 2->15         started        17 Uvewfldq.PIF 2->17         started        signatures3 80 Uses dynamic DNS services 62->80 process4 dnsIp5 70 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49732, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->70 54 C:\Windows \System32\netutils.dll, PE32+ 10->54 dropped 56 C:\Windows \System32\cmd.pif, PE32+ 10->56 dropped 58 C:\Users\Public\Uvewfldq.url, MS 10->58 dropped 60 C:\Users\Public\Libraries\Uvewfldq, data 10->60 dropped 104 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->104 106 Drops PE files with a suspicious file extension 10->106 108 Writes to foreign memory regions 10->108 116 3 other signatures 10->116 19 colorcpl.exe 5 3 10->19         started        24 cmd.exe 1 10->24         started        26 extrac32.exe 1 10->26         started        32 2 other processes 10->32 110 Multi AV Scanner detection for dropped file 15->110 112 Allocates memory in foreign processes 15->112 114 Creates a thread in another existing process (thread injection) 15->114 28 SndVol.exe 15->28         started        30 colorcpl.exe 17->30         started        file6 signatures7 process8 dnsIp9 68 sembe.duckdns.org 194.187.251.115, 14645, 49735, 49736 M247GB United Kingdom 19->68 50 C:\Users\user\AppData\Local\Temp\...\nots.dat, data 19->50 dropped 84 Contains functionality to bypass UAC (CMSTPLUA) 19->84 86 Detected Remcos RAT 19->86 88 Contains functionalty to change the wallpaper 19->88 90 Contains functionality to register a low level keyboard hook 19->90 92 Drops executables to the windows directory (C:\Windows) and starts them 24->92 34 cmd.pif 24->34         started        37 conhost.exe 24->37         started        52 C:\Users\Public\Libraries\Uvewfldq.PIF, PE32 26->52 dropped 94 Drops PE files with a suspicious file extension 26->94 96 Contains functionality to steal Chrome passwords or cookies 28->96 98 Contains functionality to steal Firefox passwords or cookies 28->98 100 Delayed program exit found 28->100 39 conhost.exe 32->39         started        41 conhost.exe 32->41         started        file10 signatures11 process12 signatures13 72 Adds a directory exclusion to Windows Defender 34->72 43 powershell.exe 23 34->43         started        process14 signatures15 102 Loading BitLocker PowerShell Module 43->102 46 conhost.exe 43->46         started        48 WmiPrvSE.exe 43->48         started        process16
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-06-10 15:42:23 UTC
File Type:
PE (Exe)
Extracted files:
65
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgn3j5bi6ycwgmgpriaipmnfej35xtwkhtmb6hkzgtcpji4yyzsa._file
Verdict:
malicious
Similar samples:
119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664
ModiLoader
2f2c9f0c66724ad46dc0b415631f826c85c8184ca281f3432a307f83097d3884
ModiLoader
93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c
ModiLoader
b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17
ModiLoader
d4b6ece4be9af66fcb3414c071c1f5f87b84e74a1374f9ecda303799cb3be4f2
ModiLoader
e8414dd64dbd95608d21a7b6171b875454f19a7f317f9cf6690448628fdfcf24
ModiLoader
+ 105 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/240611-x6pfeaydnj/
Behaviour
Script User-Agent
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/86bf0a47-dad1-4218-81bd-56b52870ff4b
Unpacked files
SH256 hash:
3c1df672f4e9399171ca2aa6ec1bea39d4d92fad8e72831366a222cde00ab4b9
MD5 hash:
630460ea8f8246577d6f9c8917163bcf
SHA1 hash:
cac2e34ac87f9286a8fbc51f9c3bc89dc72646f8
Link:
https://www.unpac.me/results/fa2c41a1-a85f-485d-9e21-ba0a992de1e2/
SH256 hash:
119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664
MD5 hash:
c57b287858b87f3528e1366bcb4359e8
SHA1 hash:
2629391b45ae9cb08c5df8dd53bdc7c7f222c171
Link:
https://www.unpac.me/results/fa2c41a1-a85f-485d-9e21-ba0a992de1e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2883817/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediawinmm.dll::PlaySoundA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowA
user32.dll::OpenClipboard
user32.dll::PeekMessageA

Comments


Avatar
zbet commented on 2024-06-11 19:27:46 UTC

url : hxxp://216.9.224.18/9045/flowersaregoodforimagescreate.bmp