MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b
SHA3-384 hash:	fbef058aed7020fb9d1e3dc34e9967e7a2af935b48225926caec9cfba8c98ba4255fc40d6839b0adacc00fe01f2f7cb5
SHA1 hash:	290c3bb14c83507268547c607f08baf11ee913d9
MD5 hash:	1e0cc4ab5afb5fa2bd3c41b068ceeec5
humanhash:	cola-vermont-two-carpet
File name:	3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	993'792 bytes
First seen:	2022-11-08 15:01:38 UTC
Last seen:	2022-11-08 16:45:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a21e186991216955843005edba75cb2a (1 x ModiLoader)
ssdeep	24576:XTx4vLEbKn9cOUC9AeHauw9zZWcWIuBwfIgh:XTlq9F2e0NX7X
Threatray	213 similar samples on MalwareBazaar
TLSH	T13C257D32F2910C33E1531E35B93BF7E9582ABE207A24A5452AEC7D5C7E77541E827283
TrID	26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 24.5% (.SCR) Windows screen saver (13097/50/3) 19.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	2968866969b2694d (1 x ModiLoader)
Reporter	adrian__luca
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b

Verdict:

Malicious activity

Analysis date:

2022-11-08 15:01:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2b8b4c38-48cf-423b-af69-47f0fa6096db

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330617/

Detection(s):

Sanesecurity.Rogue.0hr.20221028-2041.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Sending a custom TCP request

DNS request

Connecting to a non-recommended domain

Creating a file

Launching a process

Creating a process with a hidden window

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger packed remcos

Link:

https://www.filescan.io/uploads/636a6f6b38db7c2a0385f248/reports/bf3d1a26-23cb-4716-aa84-a3fe55256340/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75d870bc-4aca-4f15-9c0b-8ce88174541d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-10-28 20:56:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h5oszkjt6xd45jxvl4kox7l5t5yd54wzxjko3aqsv3nc3cj4q5nq._file

Verdict:

malicious

ModiLoader

91dfad54225bba811d942c058df7c85785f22330dcbc96ae62bf2f19eb17b65f

ModiLoader

a35981f164ad40d52d9c1f665d0cd9506abcefec984fd00ec21a7a83aeb25024

ModiLoader

cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8

ModiLoader

de8962c07eba5fdd819df024cf7a88ccbec0084913e782182dc0392338f0243e

ModiLoader

+ 203 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:remotehost persistence rat trojan

Link:

https://tria.ge/reports/221108-seflzaegbl/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Blocklisted process makes network request

ModiLoader Second Stage

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

uyoman.duckdns.org:2404

Unpacked files

SH256 hash:

3f17ebba5a2529b8794c6e86f2b124eacc332692ccdb8acfc6ebf8829c5889e7

MD5 hash:

990016aba0656d25f84a329e5a48c50b

SHA1 hash:

f13ea53aaa58d65bd696da99836dd5473f290536

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/ef069e59-df66-4ba5-92d9-0d2d37277fcd/

Parent samples :

de8962c07eba5fdd819df024cf7a88ccbec0084913e782182dc0392338f0243e
a35981f164ad40d52d9c1f665d0cd9506abcefec984fd00ec21a7a83aeb25024
483919bfc0da6d92481d70ca620e1ee0aebb3d81931d88a894ac32328e8808e8
cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8
25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76
3a61c9b0b4096cef95698ca41594941955d36e857c7b42f8d84962272f850115
4cf4313d499e9400a60a0961344e6df29acc85e6d62e18c118bef1493f801e53
f36b68e818ef0e90919221028f143fe314f463f418f550c707e1ca5fc632ad9c
f90adf7f130b1deacd0b940e101f471efeb9c670e848cd2a7e77152db0455298
580f58b0bcc5fdd1b9e1237ec9d6a58b3de0f532d92b0ef49314bcc05442272a
0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0
6d22199bcb9c6a15a14e129c4c30ad4aa19148a9b1aac32531d1dfa19a40f671
2bfbbbf3105253503802f18a048d3b36954efeb97ecb9ab9556dffa98bfb832a
e9ca640bda7dd97f7d0c9d1b810a7704144cfba14ec0271ead9e8dd6636c89d0
3f2a62eed0aff1007bac6177aed82a1722bb6b63b1d49fa87153199cd8e8d5f1
b5b7bca8e148356c32d008301fc0209f003ac123c0d752e685f87a66e81ac64b
b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92
da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3
97672b7a0e6ab5bdc206aecdc117fd9ec7529db666f9c30764fa0d4e31fa48bb
3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b
e56fd483ef8e5da7ce843288c45d4af517bf868c18ddeba08da40814b8b0a60e
754025dc4effece12c7c7b3041d2f22050b442251ef1f25dc425f685a277e0e6
1d160af25e96ec1d33d50216a3eafdc16a1df90a6c62929e25f626dae138015b
f6ddc63173d134db79db880c7f5b338987f31ddd36cfcb27cf15e3bb08a507bb
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
63419dd22896ba6ddb1710fd35ae0b64506c8a80c62b59ba33979d375737c2ca
22655d19fee46d3578c4425d75f5633cb06b353b7383a300962d46289b6ba24d
7a9c39d98ace102b6fa94aafaa6bd652b17b247da09bee12e84fca6302b08e19
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
0aa8a9d5f174dc2d70924c909f6f1f1336152de536a729931a1acfa2500fb2f5

SH256 hash:

3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b

MD5 hash:

1e0cc4ab5afb5fa2bd3c41b068ceeec5

SHA1 hash:

290c3bb14c83507268547c607f08baf11ee913d9

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/ef069e59-df66-4ba5-92d9-0d2d37277fcd/

Malware family:

Remcos

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3f5d2ca933f5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/330617/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Malware Config

Unpacked files

File information

Comments

Login required