MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1
SHA3-384 hash: a27fe8dbd917fe39d3ce0c733e5a6c63e5b537899e9159863406faeb96508260a09864cf4a342e0790bca7f93a6af2e9
SHA1 hash: 30e1da7f90d161a989db53f1475371e609992922
MD5 hash: 47bec7e4e109a7d8a2786baae0856fce
humanhash: single-king-item-wisconsin
File name:belgelervk.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:965'120 bytes
First seen:2020-10-19 10:03:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 319a8e5d178320ae582e370f06f62e46 (7 x ModiLoader, 4 x RemcosRAT)
ssdeep 12288:lY2jsH0s30vuwlPMSGUzoPLLJ3SSsD8O1sZNn5IswLOQ:lzjm02wKazmLF6sP1A
Threatray 1'112 similar samples on MalwareBazaar
TLSH AE257E33B2925833D47329789D5B67A8BD3ABE002928B5463BF91C4C5F396413C7E297
Reporter abuse_ch
Tags:exe geo ModiLoader Rackspace TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp65.iad3a.emailsrvr.com
Sending IP: 173.203.187.65
From: Buse HATIPOGLU / RAPUNZEL <buse.silay@rapunzel.com.tr>
Subject: Teklif Talebi
Attachment: belgelervk.zip (contains "belgelervk.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72855/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495190
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300051 Sample: belgelervk.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Detected Remcos RAT 2->53 55 6 other signatures 2->55 8 belgelervk.exe 1 15 2->8         started        13 Zdzsdrv.exe 13 2->13         started        15 Zdzsdrv.exe 13 2->15         started        process3 dnsIp4 43 cdn.discordapp.com 162.159.129.233, 443, 49729, 49760 CLOUDFLARENETUS United States 8->43 39 C:\Users\user\AppData\Local\...\Zdzsdrv.exe, PE32 8->39 dropped 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 61 Creates a thread in another existing process (thread injection) 8->61 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 3 8->20         started        63 Multi AV Scanner detection for dropped file 13->63 65 Injects a PE file into a foreign processes 13->65 23 ieinstal.exe 13->23         started        45 162.159.130.233, 443, 49762 CLOUDFLARENETUS United States 15->45 47 192.168.2.1 unknown unknown 15->47 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        41 style.ptbagasps.co.id 193.218.118.190, 42020, 49756 EPINATURAUA Ukraine 20->41 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 06:04:51 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3ifvw5mm3gymbydkwil6hx452vftkrodbt7pfzx6c3hsxnh3piq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
ModiLoader
7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142
ModiLoader
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
ModiLoader
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
ModiLoader
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
ModiLoader
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
ModiLoader
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
ModiLoader
daca967edea399a394a8fc24d5ee647d95dc6dadd9dd21e2945ae7a742b3aed8
ModiLoader
dc1c1c501965a46f02d345785cd1ec1f9bdb74f2defe3402c9e2b4a6f0959b8a
ModiLoader
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
ModiLoader
+ 1'102 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201019-zakj63c8dj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1
MD5 hash:
47bec7e4e109a7d8a2786baae0856fce
SHA1 hash:
30e1da7f90d161a989db53f1475371e609992922
Link:
https://www.unpac.me/results/663fd03d-fa68-479f-8140-41d0b19ed426/
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/663fd03d-fa68-479f-8140-41d0b19ed426/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 9e3711cb6889b4149c3d773c5e2d416a1fbb32b6c6663418a51ee6dda16f98a5

ModiLoader

Executable exe 16d05adbac66cd8607035590bf1efceeaa59aa2e1867f79737f0b6795da7dbd1

(this sample)

  
Dropped by
MD5 92604721e2b21250b8a600c2dd93e412
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72855/
  
Dropped by
SHA256 9e3711cb6889b4149c3d773c5e2d416a1fbb32b6c6663418a51ee6dda16f98a5

Comments