MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
SHA3-384 hash: b608e41bd44ec5960790f47e13d896571979a99e6b579f6a6ae872a787d12da9fe1c9412cc08a111aba0c5e8a499ab76
SHA1 hash: a47b302b129342bfdc356de946a8e13d026d88b3
MD5 hash: ee716f3b1e68c21aebb1ae5a77e7ce76
humanhash: neptune-beryllium-missouri-lithium
File name:Scan01OrderAugust-pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:776'192 bytes
First seen:2020-08-17 13:54:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 925501b726051625fb692aeb5906e244 (7 x ModiLoader, 2 x RemcosRAT, 1 x NetWire)
ssdeep 12288:xgAk0EFhcIK4FpC8FkjqwXRZtyjHqCt4ONWe744bmhiSEAlqgB:uMCc4FpC8Fkjb0jPtrXF0rE
Threatray 836 similar samples on MalwareBazaar
TLSH A0F49EE2E2818437C1332A7BDD1B5E995826BF513E28DC46ABE41D4C4F3A7D1383A197
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mweb.co.za
Sending IP: 45.137.22.57
From: Mariah Gonzales <gasspec@mweb.co.za>
Subject: New Order
Attachment: Scan01OrderAugust-pdf.zip (contains "Scan01OrderAugust-pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47059/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/433642
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 269187 Sample: Scan01OrderAugust-pdf.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 69 Malicious sample detected (through community Yara rule) 2->69 71 Detected Remcos RAT 2->71 73 Yara detected Remcos RAT 2->73 75 10 other signatures 2->75 8 Fjhosec.exe 13 2->8         started        12 Scan01OrderAugust-pdf.exe 1 16 2->12         started        15 Fjhosec.exe 13 2->15         started        process3 dnsIp4 59 162.159.135.233, 443, 49746 CLOUDFLARENETUS United States 8->59 61 162.159.136.232, 443, 49745 CLOUDFLARENETUS United States 8->61 77 Machine Learning detection for dropped file 8->77 79 Writes to foreign memory regions 8->79 81 Allocates memory in foreign processes 8->81 17 notepad.exe 4 8->17         started        63 cdn.discordapp.com 162.159.130.233, 443, 49736, 49749 CLOUDFLARENETUS United States 12->63 65 discord.com 162.159.138.232, 443, 49735, 49748 CLOUDFLARENETUS United States 12->65 55 C:\Users\user\AppData\Local\Fjhosec.exe, PE32 12->55 dropped 83 Creates a thread in another existing process (thread injection) 12->83 85 Injects a PE file into a foreign processes 12->85 19 notepad.exe 4 12->19         started        21 ieinstal.exe 2 3 12->21         started        67 192.168.2.1 unknown unknown 15->67 24 notepad.exe 4 15->24         started        file5 signatures6 process7 dnsIp8 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        31 cmd.exe 1 19->31         started        33 cmd.exe 1 19->33         started        57 79.134.225.12, 49750, 49751, 49752 FINK-TELECOM-SERVICESCH Switzerland 21->57 53 C:\Users\Public53atso.bat, ASCII 24->53 dropped 35 cmd.exe 24->35         started        37 cmd.exe 24->37         started        file9 process10 process11 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 reg.exe 1 1 31->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 05:23:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmjw2gkvsce6az2k6swycyq3tgqdc5a63tcin2z5iax5dafrw57a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86
ModiLoader
485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87
ModiLoader
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
ModiLoader
7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2
ModiLoader
83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4
ModiLoader
9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db
ModiLoader
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
ModiLoader
c232e05f633d3e2bd0a1486a955d7f72eb9155408a635666306d922b333809b2
ModiLoader
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
ModiLoader
eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2
ModiLoader
+ 826 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence
Link:
https://tria.ge/reports/200817-dfg4mg1hna/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Remcos
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tibs
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip e913ad1ba012af8eb0ce8b48d9a447946693799982c3e9745a3f2c8f7b05d12b

ModiLoader

Executable exe 53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e

(this sample)

  
Dropped by
MD5 311dcdc7d947bdbecb9ec1e38e4ab98a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47059/
  
Dropped by
SHA256 e913ad1ba012af8eb0ce8b48d9a447946693799982c3e9745a3f2c8f7b05d12b

Comments