MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f36a71d9195b8639ff47c95e8980ee7f0f5a22371e75e91042c4ad10de1b39c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	4f36a71d9195b8639ff47c95e8980ee7f0f5a22371e75e91042c4ad10de1b39c
SHA3-384 hash:	b0134b8ca8fa2afb22a82d135f03687d8105fec9b9c0fabdc9af0e4d07d4ae1c35d2bb9e011174f1cb97917e2f219f39
SHA1 hash:	ce268cc3c370a48946b5bbd3aca55e42de2e611b
MD5 hash:	305693594beccacab46324f34c577ce6
humanhash:	burger-bulldog-texas-kentucky
File name:	PROFORMA.EXE
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	687'793 bytes
First seen:	2020-09-09 17:06:35 UTC
Last seen:	2020-09-09 17:54:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	89fc15c9524a3b289f869310c077c62f (1 x ModiLoader)
ssdeep	6144:jyW2lkCLN7dqZJAsceDJQSCiA0s/EJYkjvhnLzumanufnUaADlscPww5W/rVM+E4:cGCLvMAskVAJdj16wUFy7mO9VEkm7nl+
Threatray	799 similar samples on MalwareBazaar
TLSH	66E46C3261E1D336D076DAF94D4BA67848E5BE50F8687C46DAE83D085E3AED0791F203
Reporter	James_inthe_box
Tags:	exe

Code Signing Certificate

Organisation:	Symantec Time Stamping Services CA - G2
Issuer:	Thawte Timestamping CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Dec 21 00:00:00 2012 GMT
Valid to:	Dec 30 23:59:59 2020 GMT
Serial number:	7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence:	85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

PUA.Win.Trojan.Generic-6629273-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file in the %temp% directory

Deleting a recently created file

Reading critical registry keys

Creating a file in the %AppData% subdirectories

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Unauthorized injection to a recently created process

Setting a global event handler for the keyboard

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Result

Threat name:

Remcos

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/462488

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Detected Remcos RAT

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Remcos RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f36a71d9195b8639ff47c95e8980ee7f0f5a22371e75e91042c4ad10de1b39c/

Threat name:

Win32.Trojan.Injects

Status:

Malicious

First seen:

2020-09-09 16:58:25 UTC

File Type:

PE (Exe)

Extracted files:

101

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j43kohmrsw4ghh7upsk6rgao47yplirdohtv5eiefrfncdpbwooa._file

Verdict:

malicious

Label(s):

remcos

ModiLoader

37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f

ModiLoader

54cdc9b1ede5661104e61f012de44e010500744c2b3003a6ffaff2f3f6eded34

ModiLoader

8043fce8f83dc87396532c20107397ebf5889f802cb588d26bbf0822b39ed27a

ModiLoader

83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4

ModiLoader

8e99ebae5c7d8b8620f20ff54a24db4d15c817f24e2a3017525063a34308bf60

ModiLoader

bf9e953c433f1108878018fba685844d8cd89171a40b9387386e4dc89c1ca981

ModiLoader

c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599

ModiLoader

daca967edea399a394a8fc24d5ee647d95dc6dadd9dd21e2945ae7a742b3aed8

ModiLoader

eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2

ModiLoader

+ 789 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

rat family:remcos trojan family:modiloader

Link:

https://tria.ge/reports/200909-se8z25xknx/

Behaviour

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

ModiLoader First Stage

ModiLoader Second Stage

ModiLoader, DBatLoader

Remcos

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f36a71d9195b8639ff47c95e8980ee7f0f5a22371e75e91042c4ad10de1b39c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/58222/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample