MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4
SHA3-384 hash: 5d98b927b0b9b48d980fdeefb0baae041344a4ae465ab2b14c2bba354220a80bbd4b600a59eb476c2572136d6d105c9d
SHA1 hash: 6fe374576a681edb7b5fb68602de5ac798fe177d
MD5 hash: 138c3f2c52af790abe1dfdb9a739502e
humanhash: cardinal-lemon-friend-robert
File name:TTCOPY.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:659'786 bytes
First seen:2023-07-21 08:19:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep 12288:f3DkEGDINi1EwyG8rQ7cpo5eUFgmf9mX+9E0oyWEiLZMn/GLiK:/DkUNi1E9GWNq1Fgm8X+W0oyyodK
Threatray 85 similar samples on MalwareBazaar
TLSH T125E40121B7C48871D4B319340AF167316B7DB9301B768EDB97940A6D8F305D2BA34BA3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968ea8 (5 x RemcosRAT, 4 x MassLogger, 3 x PureLogsStealer)
Reporter cocaman
Tags:exe HSBC ModiLoader payment


Avatar
cocaman
Malicious email (T1566.001)
From: "HSBC BANK<Raphael.Baer@hsbc.com>" (likely spoofed)
Received: "from hsbc.com (unknown [66.63.169.37]) "
Date: "21 Jul 2023 01:16:33 -0700"
Subject: "Payment Confirmation."
Attachment: "TTCOPY.exe"

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TTCOPY.exe
Verdict:
No threats detected
Analysis date:
2023-07-21 08:21:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3dd7f804-60ec-4a5c-a106-c4016d36be55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427368/
Detection(s):
SecuriteInfo.com.Heur.20230720143030221349905.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Uztuby.4.19274.32072.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8537f449-f079-4744-b167-740e44e88cff
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277297
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277297 Sample: TTCOPY.exe Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 84 Found malware configuration 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->88 90 3 other signatures 2->90 11 TTCOPY.exe 14 2->11         started        14 Qtwrtxnu.PIF 2->14         started        18 Qtwrtxnu.PIF 2->18         started        process3 dnsIp4 62 C:\Users\user\AppData\Local\...\TTCOPY.bat, PE32 11->62 dropped 20 TTCOPY.bat 1 7 11->20         started        72 web.fe.1drv.com 14->72 74 onedrive.live.com 14->74 80 2 other IPs or domains 14->80 110 Multi AV Scanner detection for dropped file 14->110 112 Machine Learning detection for dropped file 14->112 76 web.fe.1drv.com 18->76 78 onedrive.live.com 18->78 82 2 other IPs or domains 18->82 file5 signatures6 process7 dnsIp8 66 web.fe.1drv.com 20->66 68 onedrive.live.com 20->68 70 2 other IPs or domains 20->70 56 C:\Users\Public\Libraries\netutils.dll, PE32+ 20->56 dropped 58 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 20->58 dropped 60 C:\Users\Public\Libraries\Qtwrtxnu.PIF, PE32 20->60 dropped 92 Multi AV Scanner detection for dropped file 20->92 94 Machine Learning detection for dropped file 20->94 96 Drops PE files with a suspicious file extension 20->96 25 cmd.exe 3 20->25         started        28 WMIADAP.exe 20->28         started        file9 signatures10 process11 signatures12 102 Uses ping.exe to sleep 25->102 104 Drops executables to the windows directory (C:\Windows) and starts them 25->104 106 Uses ping.exe to check the status of other devices and networks 25->106 30 easinvoker.exe 25->30         started        32 PING.EXE 1 25->32         started        35 xcopy.exe 2 25->35         started        38 6 other processes 25->38 process13 dnsIp14 40 cmd.exe 1 30->40         started        43 conhost.exe 30->43         started        64 127.0.0.1 unknown unknown 32->64 52 C:\Windows \System32\easinvoker.exe, PE32+ 35->52 dropped 54 C:\Windows \System32\netutils.dll, PE32+ 38->54 dropped file15 process16 signatures17 98 Suspicious powershell command line found 40->98 100 Adds a directory exclusion to Windows Defender 40->100 45 powershell.exe 23 40->45         started        48 conhost.exe 40->48         started        process18 signatures19 108 DLL side loading technique detected 45->108 50 conhost.exe 45->50         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 08:06:15 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxmbcgvzux7q3iexmk5x6un3btjhlturlc5rsurjx77yv4tpadca._file
Verdict:
malicious
Similar samples:
147e96218cfdee0a9cc29956ebeab5cb6bc3d59e0d33024ff85d2ce5c4c31452
ModiLoader
1b57f88dd88cf59b0f9aa09f1f4dd393c6b787f70afa9b6b111861d1a10af6a7
ModiLoader
2646dd01581c1813f0478a25051ca4edac5e5c4fedcbd1ac0b4ca758426ec52d
ModiLoader
427b5d1b32a8e17b94097a085094afcf86e857dcc8db0fd0b4bf7c50e6f3f349
ModiLoader
6da5530eff5617af7c73aa5c1211971702a8ba5dffb67d76aad7c889185b2f46
ModiLoader
71a7be17ce0aa73dc1b2a2e353bc5ac7bc8e401f74c2681b4348650caf13d82b
ModiLoader
b4c2ff718a6f5c872387c54960848ea4798b78ac9ea50928106cf66a4bdffeb1
ModiLoader
b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05
ModiLoader
f94d205032deabb7dd7caac10dfeb48eff041d15d985aa58ab2b96c1789b8c6d
ModiLoader
+ 75 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230721-j8egbscf76/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
df4a34af88f0978bcf5b7d27651ef854ba233627226080982b17d20696c4fcaa
MD5 hash:
49da3951d2b068f876ee447358a13d1e
SHA1 hash:
a5b26130c0988006b072ca6f109bbe9e7d892828
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/f93374d5-45bb-4d71-ba04-71aa871b7c1d/
SH256 hash:
37cf6c9b34752dbe6a758f876ad58d196993df6a98cf7a873e484897280700f6
MD5 hash:
3889cdfac954d07278eae955d5e13b27
SHA1 hash:
33a2bdea8e076738d219541736615a2a2177c922
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/f93374d5-45bb-4d71-ba04-71aa871b7c1d/
Parent samples :
009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1
b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4
SH256 hash:
1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4
MD5 hash:
138c3f2c52af790abe1dfdb9a739502e
SHA1 hash:
6fe374576a681edb7b5fb68602de5ac798fe177d
Link:
https://www.unpac.me/results/f93374d5-45bb-4d71-ba04-71aa871b7c1d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1dd8111ab9a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
ModiLoader
Cape
Cape
https://www.capesandbox.com/analysis/427368/

Comments