MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65cf7899fa75abf976e753047042b2f5656a277b5ec19f085d5e0bd538be6ab3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65cf7899fa75abf976e753047042b2f5656a277b5ec19f085d5e0bd538be6ab3
SHA3-384 hash: 5c661112c6870c320483bea322e3717af1d56ee118fb51248cf6625a12bf69845d3722f56dab4e16b707c6144f50b4d5
SHA1 hash: 2ef3683f2625f3f4fef7135396830f6483393b3a
MD5 hash: b0926aa09b9d319e7fae8726b011aeb6
humanhash: music-princess-hawaii-mango
File name:DATA-BREACH.scr
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'093'632 bytes
First seen:2020-10-23 06:26:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b370bd9acb33b65a37dff94bd60f0a01 (10 x ModiLoader, 2 x AveMariaRAT, 2 x Loki)
ssdeep 12288:efbnamhHbXW763V8d8OAqUo3priVlP3lVJN2wNkmRPxkcIhl4weV+8YZqckawUNo:ef75m8OWo0l/iOk4PHIh6luYyQj
Threatray 263 similar samples on MalwareBazaar
TLSH 20355B52B6C084F6C1761A39CE9FB7AC5925BE402E245C8B3EFD7D8D6B34241243A19F
Reporter abuse_ch
Tags:ModiLoader scr


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mail.monsterclpudapps.com
Sending IP: 184.95.46.53
From: disastercustomerservice <info@asptechnologies.org>
Subject: DATA BEACH
Attachment: DATA-BREACH.zip (contains "DATA-BREACH.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74907/
Detection(s):
SecuriteInfo.com.Variant.Zusy.322401.10551.27714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507743
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302992 Sample: DATA-BREACH.scr Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 8 DATA-BREACH.exe 1 13 2->8         started        13 Xfajdrv.exe 13 2->13         started        15 Xfajdrv.exe 13 2->15         started        process3 dnsIp4 36 cdn.discordapp.com 162.159.135.233, 443, 49731, 49750 CLOUDFLARENETUS United States 8->36 38 discord.com 162.159.137.232, 443, 49730 CLOUDFLARENETUS United States 8->38 32 C:\Users\user\AppData\Local\...\Xfajdrv.exe, PE32 8->32 dropped 52 Writes to foreign memory regions 8->52 54 Creates a thread in another existing process (thread injection) 8->54 56 Injects a PE file into a foreign processes 8->56 17 notepad.exe 4 8->17         started        19 ieinstal.exe 2 3 8->19         started        40 162.159.129.233, 443, 49747 CLOUDFLARENETUS United States 13->40 42 162.159.135.232, 443, 49746, 49749 CLOUDFLARENETUS United States 13->42 58 Multi AV Scanner detection for dropped file 13->58 22 ieinstal.exe 13->22         started        file5 signatures6 process7 dnsIp8 24 cmd.exe 1 17->24         started        26 cmd.exe 1 17->26         started        34 185.165.153.25, 49744, 8970 DAVID_CRAIGGG Netherlands 19->34 process9 process10 28 conhost.exe 24->28         started        30 conhost.exe 26->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65cf7899fa75abf976e753047042b2f5656a277b5ec19f085d5e0bd538be6ab3/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 22:26:22 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxhxrgp2owv7s5xhkmchaqvs6vswuj33l3az6cc5lyf5kof6nkzq._file
Verdict:
suspicious
Similar samples:
018bc083a823092a92d1c114dd649d85f63b19feda836cf32b44bc1e5c2f3aa9
ModiLoader
19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef
ModiLoader
1cb12fe935a3772fbaf5e8fc0881f7ceec419012788fb54894c995caa099d5d1
ModiLoader
210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415
ModiLoader
5496dfc9455c74ff1ab9ecc70673029150fcf35e12922953627667a7b7b7f7a6
ModiLoader
5efee2d98b3c2ff0a563442a5e16fc1a63c2d20fb6c9ad8bfa3e9a7a0a326524
ModiLoader
7e4e2d9ab7a1a27b10078f7377f19109cfab4156295f3f8fd91649f5876ad911
ModiLoader
7ff052b87f0dd31a5426fa0a03cc6618ecc6bc5b1b7cfeab12ee1adf5dbffd41
ModiLoader
82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b
ModiLoader
b6138e4d197c59380c87723cb54c9cf7d5e4600a4273c98723470a57a591edda
ModiLoader
+ 253 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
trojan family:modiloader rat family:remcos persistence
Link:
https://tria.ge/reports/201023-rwyr766d4j/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
65cf7899fa75abf976e753047042b2f5656a277b5ec19f085d5e0bd538be6ab3
MD5 hash:
b0926aa09b9d319e7fae8726b011aeb6
SHA1 hash:
2ef3683f2625f3f4fef7135396830f6483393b3a
Link:
https://www.unpac.me/results/fcb86be5-32ee-4d71-a234-c8bb404543fb/
SH256 hash:
798579c2392d8bbde9d878c1fe33c6c09a0df2056af60fb37b10cd37c053ea8e
MD5 hash:
751101fbf4d51feeab31595271848169
SHA1 hash:
8071540e1b2eb8e19cb4a3ec2818f7564b1936d7
Link:
https://www.unpac.me/results/fcb86be5-32ee-4d71-a234-c8bb404543fb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 47db012820a4db951088ff44f747850d2a280280c9491d22fa40a2d12848d6c8

ModiLoader

Executable exe 65cf7899fa75abf976e753047042b2f5656a277b5ec19f085d5e0bd538be6ab3

(this sample)

  
Dropped by
MD5 9ca0322757cbc4d627ddb48862cf92a7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74907/
  
Dropped by
SHA256 47db012820a4db951088ff44f747850d2a280280c9491d22fa40a2d12848d6c8

Comments