MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189
SHA3-384 hash: ceec3af53ef41075a87f47d6ef71ddabb0b6cf3bddb4e210e6022ddd938681ed531e32193bb76a0495ec08a55062934d
SHA1 hash: e19e35a43087696fc4e7ac0dfeea4ea19fed8f28
MD5 hash: 54a4be7037ecdb031563998906a365cd
humanhash: river-michigan-hotel-virginia
File name:SecuriteInfo.com.Fareit-FZO54A4BE7037EC.20832
Download: download sample
Signature ModiLoader
Create hunting rule
File size:723'744 bytes
First seen:2021-01-02 11:03:17 UTC
Last seen:2021-01-02 11:45:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4bd67a4e554600cec9d12ad3e8556de (1 x ModiLoader)
ssdeep 12288:9Esf2663Kqz+uv5+lBNErkAfhK6Pl7bDDnfvcfYM:KsO68So+svZb3YYM
TLSH 6CF4293675A284F2E022953DC90747B8889ABD31BE34DC8796E47D587EFF6412C1E983
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
877dc825c00e79e1150d80d8308b2839.exe
Verdict:
Malicious activity
Analysis date:
2021-01-02 08:19:57 UTC
Tags:
trojan stealer raccoon loader rat azorult remcos vidar
Link:
https://app.any.run/tasks/43d68916-bdde-497c-8094-6bf24e4db5d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110302/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

SecuriteInfo.com.Fareit-FZO54A4BE7037EC.20832.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629273-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572930
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335527 Sample: SecuriteInfo.com.Fareit-FZO... Startdate: 02/01/2021 Architecture: WINDOWS Score: 100 33 agentpapple.ac.ug 2->33 35 taenaia.ac.ug 2->35 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Remcos RAT 2->45 47 3 other signatures 2->47 7 SecuriteInfo.com.Fareit-FZO54A4BE7037EC.exe 1 16 2->7         started        12 Wyprwekn.exe 14 2->12         started        14 Wyprwekn.exe 14 2->14         started        signatures3 process4 dnsIp5 37 cdn.discordapp.com 162.159.134.233, 443, 49724, 49743 CLOUDFLARENETUS United States 7->37 39 discord.com 162.159.135.232, 443, 49721, 49742 CLOUDFLARENETUS United States 7->39 25 C:\Users\user\AppData\Local\...\Wyprwekn.exe, PE32 7->25 dropped 49 Writes to foreign memory regions 7->49 51 Allocates memory in foreign processes 7->51 53 Creates a thread in another existing process (thread injection) 7->53 16 ieinstal.exe 1 7->16         started        19 WerFault.exe 20 9 7->19         started        55 Multi AV Scanner detection for dropped file 12->55 57 Injects a PE file into a foreign processes 12->57 21 ieinstal.exe 12->21         started        23 ieinstal.exe 14->23         started        file6 signatures7 process8 dnsIp9 27 agentpapple.ac.ug 16->27 29 taenaia.ac.ug 185.140.53.149, 49731, 49734, 49735 DAVID_CRAIGGG Sweden 16->29 31 192.168.2.1 unknown unknown 16->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-01-02 03:56:26 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/210102-bp3wegwhfj/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Adds Run key to start application
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189
MD5 hash:
54a4be7037ecdb031563998906a365cd
SHA1 hash:
e19e35a43087696fc4e7ac0dfeea4ea19fed8f28
Link:
https://www.unpac.me/results/58a98603-d438-4bc8-9cee-cd8ce8521be9/
SH256 hash:
54c7c494f5e78ddd69b7a2bfcfcca2af2f4458d56b06f224a61876602895d327
MD5 hash:
59ef35621ee4d26445110bda784c0366
SHA1 hash:
1780af5aa4494292ce003c3ec6c0f28e01c4e18c
Link:
https://www.unpac.me/results/58a98603-d438-4bc8-9cee-cd8ce8521be9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/947449/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/947450/
Cape
Cape
https://www.capesandbox.com/analysis/110302/

Comments