MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a
SHA3-384 hash: b50be22dba4e973ca779f8984d9a6de6460927086bacf90e2fe47fa4f254a0dc94ca8114ea726837018ca1167966382b
SHA1 hash: 07a39dab9d8292889f560a4848a9ff43423f5ac2
MD5 hash: 98bba0641ef9aed11939a3817370822c
humanhash: cola-texas-five-crazy
File name:Türkiye Teklif - PO FH8765446878-15-10-2020.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'050'778 bytes
First seen:2020-10-15 12:59:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:TFT7lBs40jT0sUbtpW/nAOPq3Sp58Un7nLT6USE/7LYUx5t8SH1s:TvBsxTEi5B7nLT6USE/7kUPtc
Threatray 1'059 similar samples on MalwareBazaar
TLSH 0525CF31F3E2CA36E2571131CC2B5BB99532BE002924945A76E63C4DAE367F079792D3
Reporter abuse_ch
Tags:exe geo ModiLoader TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Konstantinidis Michalis <info1@atl-loizou.com>
Subject: Re: Türkiye Teklif - PO FH8765446878-15-10-2020
Attachment: Türkiye Teklif - PO FH8765446878-15-10-2020.zip (contains "Türkiye Teklif - PO FH8765446878-15-10-2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71401/
Detection(s):
SecuriteInfo.com.Artemis5F81083596A0.8651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492463
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298735 Sample: T#U00fcrkiye Teklif - PO FH... Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 44 incidencias6645.ddns.net 2->44 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 9 other signatures 2->64 9 T#U00fcrkiye Teklif - PO FH8765446878-15-10-2020.exe 1 15 2->9         started        14 Ixmxdrv.exe 13 2->14         started        16 Ixmxdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 48 cdn.discordapp.com 162.159.130.233, 443, 49738 CLOUDFLARENETUS United States 9->48 50 discord.com 162.159.138.232, 443, 49736, 49737 CLOUDFLARENETUS United States 9->50 52 192.168.2.1 unknown unknown 9->52 42 C:\Users\user\AppData\Local\...\Ixmxdrv.exe, PE32 9->42 dropped 66 Writes to foreign memory regions 9->66 68 Allocates memory in foreign processes 9->68 70 Creates a thread in another existing process (thread injection) 9->70 18 ieinstal.exe 2 3 9->18         started        22 notepad.exe 4 9->22         started        54 162.159.128.233, 443, 49750, 49751 CLOUDFLARENETUS United States 14->54 56 162.159.133.233, 443, 49752, 49758 CLOUDFLARENETUS United States 14->56 72 Multi AV Scanner detection for dropped file 14->72 74 Injects a PE file into a foreign processes 14->74 24 ieinstal.exe 14->24         started        26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 46 incidencias6645.ddns.net 79.134.225.83, 8638 FINK-TELECOM-SERVICESCH Switzerland 18->46 38 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 18->38 dropped 40 C:\Users\Public40atso.bat, ASCII 22->40 dropped 28 cmd.exe 1 22->28         started        30 cmd.exe 1 22->30         started        file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 11:00:58 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojbhugvv3pz6lrwu6kl6ym56znulyoorzbcg7ggepukwb5rxdi5a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
47d694226b7f034e868ded9f3ebc12b1afbf9bbccb791f4a98c61955f10efa19
ModiLoader
4f36a71d9195b8639ff47c95e8980ee7f0f5a22371e75e91042c4ad10de1b39c
ModiLoader
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
ModiLoader
a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
ce30dea0b1d4fa181753600eb63c1d2f1a7de1bd848dcdbe196f6a35afef0ea9
ModiLoader
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
ModiLoader
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
ModiLoader
fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5
ModiLoader
fda7edab2bfba6005bc2f82548b9dcef7deec1fef238acc5fee12322d2b2629e
ModiLoader
+ 1'049 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
trojan family:modiloader
Link:
https://tria.ge/reports/201015-y7s597ghrs/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a
MD5 hash:
98bba0641ef9aed11939a3817370822c
SHA1 hash:
07a39dab9d8292889f560a4848a9ff43423f5ac2
Link:
https://www.unpac.me/results/b9ea7338-7aa5-4295-945a-775834cac7a3/
SH256 hash:
f976467bffcd94a6db3fba3518bff8f30b626e34a936aea666d7784e4c1ac9bb
MD5 hash:
808cda8a26692218e6124b63d2ecf18c
SHA1 hash:
d9cd1c9f8ba8f02471d8f65b8be34497a676af09
Link:
https://www.unpac.me/results/b9ea7338-7aa5-4295-945a-775834cac7a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 762f9f44f64063a11991b11765f6e02488835f0eca69ce2b967e35ba22edbfd7

ModiLoader

Executable exe 72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a

(this sample)

  
Dropped by
MD5 b6a50ff5774b43f49dccd260647e9c55
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 762f9f44f64063a11991b11765f6e02488835f0eca69ce2b967e35ba22edbfd7
Cape
Cape
https://www.capesandbox.com/analysis/71401/

Comments