MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
SHA3-384 hash: b4da866ae4a4e33c2c3bbfd2b88ddc9486124b03abc92bbaf2dbf568275534ea9914b4de7fdbc8d47ee4a5e0b0941a56
SHA1 hash: 92416a077ebc66d6082a6f802aefc94476d6a30c
MD5 hash: 5311054411ae2f562ebaa00093ec2261
humanhash: michigan-berlin-north-carpet
File name:SecuriteInfo.com.Variant.Jaik.95298.16760.17387
Download: download sample
Signature ModiLoader
Create hunting rule
File size:932'352 bytes
First seen:2022-09-15 00:41:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 382d9c538727c04c8c0ffa65db10afc6 (3 x ModiLoader, 1 x DBatLoader, 1 x Formbook)
ssdeep 12288:WZ3m2ifTnKeXXOeh0jbXGrapowu0ZCWNDoCHjsG83q/rhf7fvQBn:A9irKeXXOehw2rapowuCCsoT3q/lvkn
Threatray 1'895 similar samples on MalwareBazaar
TLSH T116158FE672B0CB33D023197DCA2B325D9F7E7E205E10744E63E53A5CDE38A412526A67
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13101/52/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310109/
Detection(s):
SecuriteInfo.com.Variant.Jaik.95298.16760.17387.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Unauthorized injection to a recently created process
Setting a keyboard event handler
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37673/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/6322751a1183046074a134f9/reports/80acef98-fa58-45be-a788-dfd573f76f89/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b37cd17-4120-4bf6-bcba-03f3ec449673
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070610
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703152 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 15/09/2022 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 7 other signatures 2->71 7 SecuriteInfo.com.Variant.Jaik.95298.16760.17387.exe 1 17 2->7         started        12 Nrebwdfk.exe 14 2->12         started        14 Nrebwdfk.exe 2->14         started        process3 dnsIp4 45 vunb6q.am.files.1drv.com 7->45 47 onedrive.live.com 7->47 49 am-files.fe.1drv.com 7->49 33 C:\Users\Public\Libraries33rebwdfk.exe, PE32 7->33 dropped 35 C:\Users\...35rebwdfk.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\Public\Libraries37rebwdfk, data 7->37 dropped 79 Contains functionality to inject threads in other processes 7->79 81 Contains functionality to inject code into remote processes 7->81 83 Injects a PE file into a foreign processes 7->83 16 SecuriteInfo.com.Variant.Jaik.95298.16760.17387.exe 2 16 7->16         started        51 vunb6q.am.files.1drv.com 12->51 55 2 other IPs or domains 12->55 85 Multi AV Scanner detection for dropped file 12->85 20 Nrebwdfk.exe 12->20         started        53 vunb6q.am.files.1drv.com 14->53 57 2 other IPs or domains 14->57 22 Nrebwdfk.exe 14->22         started        file5 signatures6 process7 dnsIp8 39 bestsuccess.ddns.net 79.134.225.115, 2442, 49717, 49718 FINK-TELECOM-SERVICESCH Switzerland 16->39 41 geoplugin.net 178.237.33.50, 49719, 80 ATOM86-ASATOM86NL Netherlands 16->41 43 192.168.2.1 unknown unknown 16->43 59 Maps a DLL or memory area into another process 16->59 61 Sample uses process hollowing technique 16->61 63 Installs a global keyboard hook 16->63 24 SecuriteInfo.com.Variant.Jaik.95298.16760.17387.exe 1 16->24         started        27 SecuriteInfo.com.Variant.Jaik.95298.16760.17387.exe 1 16->27         started        29 SecuriteInfo.com.Variant.Jaik.95298.16760.17387.exe 16->29         started        31 22 other processes 16->31 signatures9 process10 signatures11 73 Tries to steal Instant Messenger accounts or passwords 24->73 75 Tries to steal Mail credentials (via file / registry access) 24->75 77 Tries to harvest and steal browser information (history, passwords, etc) 31->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 00:42:10 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijzp2wozmickfvid6m2w72lp5uwg2o7qdhd66jnkz7yodq3kowfa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0c3d385c94560cc9fa56c7cab2a5401c37397820956adaa20e5b4fa6422ceb3d
ModiLoader
217bb63194104a743dea34fafc9d8f38c842cde812ec86dfff64b03526bd2d89
ModiLoader
38816055042a3693ff846a391e8280f800d06a3c49ca0181ab0f99d99db48b09
ModiLoader
65cdfaf2f1780649028e28012f826da60bc9c2f2c36ea8239a2378a5abcf083f
ModiLoader
7d237aef354c63c3618c8c8df4718e2c5056edd90702bc77a233944e2c42de9b
ModiLoader
a6abf72d95dac9ba6e6e4b53d9cbcd013846660a18ac5b9eeacb6cd87c783a2c
ModiLoader
aeff864a48f8a0b26b5db70bebd4a437875dd33b3b35b8953ea216ce126c5e1e
ModiLoader
fe6a93368c9da83d864b3f37fba5c8c01302a3d909779cb3bd6dfaed8b430fb5
ModiLoader
+ 1'885 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:yak collection persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220915-a2cjqabfd3/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Reads user/profile data of web browsers
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
bestsuccess.ddns.net:2442
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/78a079f7-b17a-41a0-a2f0-8b08a8284167
Unpacked files
SH256 hash:
002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc
MD5 hash:
eb295d7d7804e778f9f5ae4783379ccc
SHA1 hash:
d1b9df6113a548dd362fc0cb611c78eef2124f73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/edbd4562-2f76-4dc0-b343-e402c44b4e37/
Parent samples :
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SH256 hash:
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
MD5 hash:
5311054411ae2f562ebaa00093ec2261
SHA1 hash:
92416a077ebc66d6082a6f802aefc94476d6a30c
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/edbd4562-2f76-4dc0-b343-e402c44b4e37/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4272fd59d962/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310109/

Comments