MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 698a3c667ded86b3422b8e4839c9ca2743a8c4905fbc449514e59a9b666bda4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 698a3c667ded86b3422b8e4839c9ca2743a8c4905fbc449514e59a9b666bda4d
SHA3-384 hash: a44a7c180702567c67c40124fae8dadb83d8bf1bbf1cfbe180addf3711274550b24dba0b4d38cc89a53be5ee3039cfb3
SHA1 hash: 7e20d8fe856f21d1504de062b2c45c3b32bf75dc
MD5 hash: de8007c16d5e29a57c6004c6bb8c7100
humanhash: burger-potato-mississippi-jig
File name:TUR Request Confirmation876789376TD_PDF.scr
Download: download sample
Signature ModiLoader
Create hunting rule
File size:864'256 bytes
First seen:2020-10-20 08:09:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d99d2b7dc0b1c0b642d9d88933e0dd9 (8 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:Gg6qVpf8BGuCG43fxR8bUQFqSjRJsK/Alk4fMCGOLou:GgZoBGuX44pbLmlkDpw
Threatray 367 similar samples on MalwareBazaar
TLSH 0A05AE63B2918837C0721A79DD0BAB685D39FE007D20A4473BFC2D4D9F79641787A2A7
Reporter abuse_ch
Tags:ModiLoader scr


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: bas0.nida-logistics.com
Sending IP: 45.86.74.124
From: AYDIN Erdal <contact@nida-logistics.com>
Subject: ARSİ TURİZM Request Order - OCT2020
Attachment: TUR Request Confirmation876789376TD_PDF.7z (contains "TUR Request Confirmation876789376TD_PDF.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73301/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Setting a global event handler
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497239
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 300787 Sample: TUR Request Confirmation876... Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 43 nexty.dnsupdate.info 2->43 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected BitRAT 2->59 61 Sigma detected: Fodhelper UAC Bypass 2->61 63 4 other signatures 2->63 9 TUR Request Confirmation876789376TD_PDF.exe 1 15 2->9         started        14 Rkrndrv.exe 13 2->14         started        16 Rkrndrv.exe 13 2->16         started        signatures3 process4 dnsIp5 49 cdn.discordapp.com 162.159.134.233, 443, 49734 CLOUDFLARENETUS United States 9->49 51 discord.com 162.159.137.232, 443, 49733 CLOUDFLARENETUS United States 9->51 41 C:\Users\user\AppData\Local\...\Rkrndrv.exe, PE32 9->41 dropped 67 Writes to foreign memory regions 9->67 69 Creates a thread in another existing process (thread injection) 9->69 71 Injects a PE file into a foreign processes 9->71 18 TUR Request Confirmation876789376TD_PDF.exe 1 9->18         started        22 notepad.exe 4 9->22         started        53 162.159.129.233, 443, 49754, 49759 CLOUDFLARENETUS United States 14->53 55 162.159.135.232, 443, 49752, 49758 CLOUDFLARENETUS United States 14->55 73 Multi AV Scanner detection for dropped file 14->73 75 Tries to detect virtualization through RDTSC time measurements 14->75 25 Rkrndrv.exe 14->25         started        27 Rkrndrv.exe 16->27         started        file6 signatures7 process8 dnsIp9 45 nexty.dnsupdate.info 79.134.225.98, 49753, 49772, 8070 FINK-TELECOM-SERVICESCH Switzerland 18->45 47 192.168.2.1 unknown unknown 18->47 65 Hides threads from debuggers 18->65 39 C:\Users\Public39atso.bat, ASCII 22->39 dropped 29 cmd.exe 1 22->29         started        31 cmd.exe 1 22->31         started        file10 signatures11 process12 process13 33 conhost.exe 29->33         started        35 reg.exe 1 1 29->35         started        37 conhost.exe 31->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/698a3c667ded86b3422b8e4839c9ca2743a8c4905fbc449514e59a9b666bda4d/
Threat name:
Win32.Trojan.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 07:22:31 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngfdyzt55wdlgqrlrzedtsoke5b2rreql66ejfiu4wnjwztl3jgq._file
Verdict:
suspicious
Similar samples:
095c0ec3aaf403883d840db77147a330a4cbe0781d26ca4825a69a1798fdef1c
ModiLoader
0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894
ModiLoader
4284003dc87d3f8afa499b3edac620589dba8b1ac5d9a38d943dd0b381a473c5
ModiLoader
6b821b358a92094bf1218d5a455e7205efeda83a4b4247d010a86b77e284ee75
ModiLoader
6ce29350390228c4f8cf474b079fc0e786b364cf5c0c8994b7ad1137c185be3b
ModiLoader
99a8e371d2d05838012be53f7e86a675acdc9be4770eb4372779a85a574c2f1a
ModiLoader
cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529
ModiLoader
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
ModiLoader
eacd4bf6e9ef503d844adb44043c83bd6324b805b6587a3d2b4b27ec0143dedc
ModiLoader
fb28260466e3ce4029f48c81b60a1ef83e755e772672a28cea1f00f51984c808
ModiLoader
+ 357 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
upx persistence trojan family:modiloader
Link:
https://tria.ge/reports/201020-shjpxse1ts/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
698a3c667ded86b3422b8e4839c9ca2743a8c4905fbc449514e59a9b666bda4d
MD5 hash:
de8007c16d5e29a57c6004c6bb8c7100
SHA1 hash:
7e20d8fe856f21d1504de062b2c45c3b32bf75dc
Link:
https://www.unpac.me/results/a1f7a870-4cf7-4b18-aa1a-b0d2d142b20d/
SH256 hash:
9709b193c99e3248e05ab2415e0c6f11024b6b40f6d6d97e37b24cece28b95d2
MD5 hash:
c6cca21893373dcd4de52dd7e737ac33
SHA1 hash:
c3cd6914b67b2149f7db11196a3ced5d481bc8d0
Link:
https://www.unpac.me/results/a1f7a870-4cf7-4b18-aa1a-b0d2d142b20d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/698a3c667ded86b3422b8e4839c9ca2743a8c4905fbc449514e59a9b666bda4d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

7z fb679e72a3d34322e9e710b86cb840f1c21c4a2bc7669c8a2e17049e95be71a8

ModiLoader

Executable exe 698a3c667ded86b3422b8e4839c9ca2743a8c4905fbc449514e59a9b666bda4d

(this sample)

  
Dropped by
MD5 c2754ac65bb0c398cc9c847679b71ddf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fb679e72a3d34322e9e710b86cb840f1c21c4a2bc7669c8a2e17049e95be71a8
Cape
Cape
https://www.capesandbox.com/analysis/73301/

Comments