MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9
SHA3-384 hash: 64e18f6d69dc675887e74c39c6794681e7ab30edbff1d216a0540e0876410eb56af478f5e4540918999af3333a4da03a
SHA1 hash: be59783cfff2cbc30d6080ec089e40b34cf91a25
MD5 hash: 1b2cb7fe442893edacb90c334e8e9654
humanhash: potato-stream-fish-beer
File name:Bestätigung der Kontodaten,pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:646'808 bytes
First seen:2020-10-16 17:59:15 UTC
Last seen:2020-10-16 19:22:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash af00c2cd3e1abe86ddbb239e27958d26 (6 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:BEu6Ai+3QzSx++O8AySJxv/EJIy3m8A71UzFvCM2T4F1smtv1mHRm4DhKte1NDGq:F6pexT1YJS8xZzet0mgNr91
Threatray 350 similar samples on MalwareBazaar
TLSH A8D48F62F2D1C837C373253C9C5B96B49825BD9D2F2568762BE83D8C5F397823429293
Reporter abuse_ch
Tags:DEU exe geo ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: dumpling.thegigabit.com
Sending IP: 103.212.71.41
From: KETEC PRECISION TOOLING Co., LTD <info@vectortool.com.ua>
Subject: Betreff: Bestätigung der Kontodaten
Attachment: Bestätigung der Kontodaten,pdf.iso (contains "Bestätigung der Kontodaten,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72240/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494096
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299499 Sample: Best#U00e4tigung der Kontod... Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 42 insidelife1.ddns.net 2->42 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Detected Remcos RAT 2->56 58 9 other signatures 2->58 9 Best#U00e4tigung der Kontodaten,pdf.exe 1 15 2->9         started        14 Ibundrv.exe 13 2->14         started        16 Ibundrv.exe 13 2->16         started        signatures3 process4 dnsIp5 48 cdn.discordapp.com 162.159.129.233, 443, 49723 CLOUDFLARENETUS United States 9->48 40 C:\Users\user\AppData\Local\...\Ibundrv.exe, PE32 9->40 dropped 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Creates a thread in another existing process (thread injection) 9->64 18 notepad.exe 4 9->18         started        21 ieinstal.exe 2 9->21         started        50 162.159.133.233, 443, 49750, 49757 CLOUDFLARENETUS United States 14->50 66 Multi AV Scanner detection for dropped file 14->66 68 Injects a PE file into a foreign processes 14->68 24 ieinstal.exe 14->24         started        26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\Public38atso.bat, ASCII 18->38 dropped 28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        44 insidelife1.ddns.net 216.38.7.231, 49744, 49745, 49746 ASN-GIGENETUS United States 21->44 46 192.168.2.1 unknown unknown 21->46 file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 10:43:59 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzs2kachpg3zl3jnjok5ikaih5gn5tzpbv4ibqiqqaca5uvskc4q._file
Verdict:
suspicious
Similar samples:
33e6263b0e9dbd16c509e5701a60e4615feda4713fad24c75f51c94e5e53f5cb
ModiLoader
4284003dc87d3f8afa499b3edac620589dba8b1ac5d9a38d943dd0b381a473c5
ModiLoader
46ff7f6619eda7e3b2c5b36a2d3f21b154749d31ae2695c4d23c992361ce1f58
ModiLoader
69a218fceba737bcd30936ae7e3404544c9976c0db63be7ad2c7e950677a9e16
ModiLoader
6b821b358a92094bf1218d5a455e7205efeda83a4b4247d010a86b77e284ee75
ModiLoader
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
ModiLoader
cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529
ModiLoader
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
ModiLoader
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
ModiLoader
fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850
ModiLoader
+ 340 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence trojan family:modiloader
Link:
https://tria.ge/reports/201016-b2bew42jqj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9
MD5 hash:
1b2cb7fe442893edacb90c334e8e9654
SHA1 hash:
be59783cfff2cbc30d6080ec089e40b34cf91a25
Link:
https://www.unpac.me/results/9b8d195b-271f-4d4e-9522-2fd898f751be/
SH256 hash:
dc375bd5d7e478d45241e8d05c0b74c0ba4ec668ba27b473a5d23a1ba837dd13
MD5 hash:
af27ff4d1c7bbb3abf159a3cfa12aa9c
SHA1 hash:
f0ba337b894bbba8122ea6687e4a3608b0d5ff87
Link:
https://www.unpac.me/results/9b8d195b-271f-4d4e-9522-2fd898f751be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 31fb810400eaee0d17bf217c5e6df8e3c942f2f87097d30da6c70073303d5679

ModiLoader

Executable exe 6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9

(this sample)

  
Dropped by
MD5 223a754f414be86ac5113d29994c52bc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72240/
  
Dropped by
SHA256 31fb810400eaee0d17bf217c5e6df8e3c942f2f87097d30da6c70073303d5679

Comments