MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 628639dd51281444d73d8c0c9dcb4d4b4ad288b4e522868f99e69a77ff6da59a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 628639dd51281444d73d8c0c9dcb4d4b4ad288b4e522868f99e69a77ff6da59a
SHA3-384 hash: 04d536b46fdb9a13cb5f7a7ae2f2238871328a5e52dab047d23bc7b495bf989613d2e90946173155ad2b61b36af1163d
SHA1 hash: 2dda268177260714d145e326471246eac6e2e9fb
MD5 hash: f8e1582a686e50fab7dbda5d6d9e6554
humanhash: cold-edward-jig-enemy
File name:SecuriteInfo.com.Downloader-FCIVF8E1582A686E.20880.4913
Download: download sample
Signature ModiLoader
Create hunting rule
File size:859'648 bytes
First seen:2022-04-19 09:53:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e0804e63f849253255cc5a90c0147c49 (6 x DBatLoader, 1 x Formbook, 1 x ModiLoader)
ssdeep 12288:bZ8wag4BvCXr8j4CoOjPDQdT4ragoUG15U87uxHkHijCNsFKzaRHr:b2FN2ojFoOjcdTaTGTR8HExz
Threatray 7'529 similar samples on MalwareBazaar
TLSH T17505AF26B3918836D4732E744D2B92B45935BF202E24B9463AF9ED4C5F3A6D03D3D293
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon c8c982848998ac94 (10 x Formbook, 6 x DBatLoader, 4 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264583/
Detection(s):
SecuriteInfo.com.Downloader-FCIVF8E1582A686E.20880.4913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger
Link:
https://www.filescan.io/uploads/625e86beeab80a7a6c405e6e/reports/14959df0-9604-41fb-9ed0-c50295157d4c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9487bc2-c8e4-4acf-97b3-910fd7733d88
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978750
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611235 Sample: SecuriteInfo.com.Downloader... Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 5 other signatures 2->59 8 SecuriteInfo.com.Downloader-FCIVF8E1582A686E.20880.exe 1 22 2->8         started        13 Ghtxcil.exe 14 2->13         started        15 Ghtxcil.exe 17 2->15         started        process3 dnsIp4 39 i-ams02p-cor001.api.p001.1drv.com 13.105.28.32, 443, 49737, 49744 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->39 47 5 other IPs or domains 8->47 33 C:\Users\Public\Librariesbehaviorgraphhtxcil.exe, PE32 8->33 dropped 35 C:\Users\...behaviorgraphhtxcil.exe:Zone.Identifier, ASCII 8->35 dropped 69 Writes to foreign memory regions 8->69 71 Creates a thread in another existing process (thread injection) 8->71 73 Injects a PE file into a foreign processes 8->73 17 logagent.exe 2 8->17         started        21 cmd.exe 1 8->21         started        41 i-am3p-cor007.api.p001.1drv.com 13.104.158.183, 443, 49779, 49785 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->41 43 192.168.2.1 unknown unknown 13->43 49 5 other IPs or domains 13->49 75 Multi AV Scanner detection for dropped file 13->75 23 DpiScaling.exe 13->23         started        45 i-am3p-cor005.api.p001.1drv.com 13.104.158.179, 443, 49789, 49793 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->45 51 5 other IPs or domains 15->51 25 DpiScaling.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 79.134.225.44, 6809 FINK-TELECOM-SERVICESCH Switzerland 17->37 61 Contains functionality to steal Chrome passwords or cookies 17->61 63 Contains functionality to inject code into remote processes 17->63 65 Contains functionality to steal Firefox passwords or cookies 17->65 67 Delayed program exit found 17->67 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/628639dd51281444d73d8c0c9dcb4d4b4ad288b4e522868f99e69a77ff6da59a/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 09:54:10 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkddtxkrfakejvz5rqgj3s2njnfnfcfu4urind4z42nhp73nuwna._file
Verdict:
malicious
Similar samples:
3ba7ad2a718413ab6d36dd156bbdd5ac1bcca860f039b14c4cb4382aee58bc88
ModiLoader
3e755ebc4b3e451616df6473cf0f804e3c0d79e06e4f7bd54f94544848961f12
ModiLoader
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
ModiLoader
6a388696745c133ba5ea711f6413c3c10c082df2d70ca70b2f015c5f83c53c75
ModiLoader
713114d1dcb9d12994f1cfcb7cc765283cff3f2242ee57cdf15e849e15213a0b
ModiLoader
83d7062a6e44aed6a161da23937cc66f97982e045d933dc4dd2049df4496d34b
ModiLoader
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
ModiLoader
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
ModiLoader
9ef6b1868ca09cf927398496746dc5c1e73980fe7e3c1ffe4f45004a1f11d16b
ModiLoader
+ 7'519 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:loostime persistence rat trojan
Link:
https://tria.ge/reports/220419-lw7nfsfba4/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
79.134.225.44:6809
Unpacked files
SH256 hash:
5c7abef80eec8823727033ff393ec0c554e024174078558c2816eac5aa5f05ba
MD5 hash:
75bb3ad3fd6a800d80f6d0df1eacc4cd
SHA1 hash:
97401d629c663e86c91d254047857d2d56245c69
Link:
https://www.unpac.me/results/24c12825-0b59-465e-a4d3-dac153bd7edd/
Parent samples :
25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2
af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b
5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373
7834cc8a3f3b2dd0d3ed6a22c134b347054a477e116b4a46751f21a463aee356
SH256 hash:
628639dd51281444d73d8c0c9dcb4d4b4ad288b4e522868f99e69a77ff6da59a
MD5 hash:
f8e1582a686e50fab7dbda5d6d9e6554
SHA1 hash:
2dda268177260714d145e326471246eac6e2e9fb
Link:
https://www.unpac.me/results/24c12825-0b59-465e-a4d3-dac153bd7edd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/628639dd51281444d73d8c0c9dcb4d4b4ad288b4e522868f99e69a77ff6da59a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:remcos_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264583/

Comments