MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


modi


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3
SHA3-384 hash: af8d5e38c6fd251a6d160b6d501679dce1db29b1f430bd920c33481e5335fd4a2509c4a60cf3ecfae1c302b4d9d065f0
SHA1 hash: 8c7eb3c4838a8fc1c743da68d74ab291d269619a
MD5 hash: 6e9c981c1bba3ebbe1e73f2811c25d03
humanhash: idaho-football-north-carolina
File name:PO_3465879876.exe
Download: download sample
Signature modi
Create hunting rule
File size:1'096'872 bytes
First seen:2020-10-15 10:35:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ba83cb1dec457170b10a42f07b5f42c (6 x ModiLoader, 1 x modi)
ssdeep 24576:O1BLam+mNN6U2Q/RvlNGnGe+953PszaWpWPgE9d:O1+42Wn3kzLpWPg
Threatray 1'046 similar samples on MalwareBazaar
TLSH F435AF33F3A18533C57326359C1766A9A936BF102A2CA8496BF61D4C8F3A3A17D351D3
Reporter abuse_ch
Tags:exe modi ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: corporate.orangemali.net
Sending IP: 197.155.141.129
From: Katherine <info@tianma.com>
Subject: NEW ORDER (USA)
Attachment: PO_3465879876.rar (contains "PO_3465879876.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71240/
Detection(s):
SecuriteInfo.com.Artemis30FD4A13202B.11293.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492124
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298509 Sample: PO_3465879876.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 11 other signatures 2->61 8 PO_3465879876.exe 1 15 2->8         started        13 Trpudrv.exe 14 2->13         started        15 Trpudrv.exe 13 2->15         started        process3 dnsIp4 45 discord.com 162.159.128.233, 443, 49720, 49721 CLOUDFLARENETUS United States 8->45 47 cdn.discordapp.com 162.159.133.233, 443, 49722 CLOUDFLARENETUS United States 8->47 41 C:\Users\user\AppData\Local\...\Trpudrv.exe, PE32 8->41 dropped 63 Writes to foreign memory regions 8->63 65 Allocates memory in foreign processes 8->65 67 Creates a thread in another existing process (thread injection) 8->67 17 ieinstal.exe 2 3 8->17         started        21 notepad.exe 4 8->21         started        49 162.159.130.233, 443, 49741, 49745 CLOUDFLARENETUS United States 13->49 51 192.168.2.1 unknown unknown 13->51 69 Antivirus detection for dropped file 13->69 71 Multi AV Scanner detection for dropped file 13->71 73 Injects a PE file into a foreign processes 13->73 23 ieinstal.exe 13->23         started        53 162.159.136.232, 443, 49743, 49744 CLOUDFLARENETUS United States 15->53 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 43 incidencias6645.ddns.net 79.134.225.83, 49734, 49738, 49742 FINK-TELECOM-SERVICESCH Switzerland 17->43 37 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 17->37 dropped 39 C:\Users\Public39atso.bat, ASCII 21->39 dropped 27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 15:38:27 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbmc2fzdldv6w6xxsgxou4ytoo3ik2vzaxc2yereap6y2dbrxdzq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
003aa42b38825ff5afd6bc9f288ce23c4b6a654b17865eea5cddabb5d5ca332e
modi
00a59bd4f68fa1f661435296736f595c1e20968ce22c21afc2f56099cbb2a600
modi
509cc1160a4457f7919bb870d59f8e16c311757780172b72b29d506fdd54eeda
modi
5cc6ce7f61d7f88aecd12284a5801e55ee4e000121eb9a85f2b5db16c8735a50
modi
7133d7e48e25500913021a3d2c6d4efa3d9ace18d9887cd899f64c3c598c037a
modi
8e0f1afb542d73ead6c9942171d40ba9117a2b6f39c386ba9e51b22b78c7005f
modi
95935a1ae37717226eb2b3d7c53a97cdabe5e9b28d370237f7badef2820ff29b
modi
9ad8092ae1c55539b8e04822282bbc6a8c970b888664a0fd512ac2853736ff61
modi
b8c6d9ced99143d34fd8829125c6ff46bc0c55569f401ec4d1354f3d0825c4c4
modi
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
modi
+ 1'036 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201015-ljwstrt3m2/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3
MD5 hash:
6e9c981c1bba3ebbe1e73f2811c25d03
SHA1 hash:
8c7eb3c4838a8fc1c743da68d74ab291d269619a
Link:
https://www.unpac.me/results/d8eaa599-a0c6-4186-98ec-89197b656341/
SH256 hash:
51f376e65f613d6c483afb581daacd1c70420f4618fe808c2a409e064a69adc7
MD5 hash:
5066338a97e7d3fe6da81e53a20ef1c9
SHA1 hash:
281520829e096181201d334e42191ee4fa6f6a52
Link:
https://www.unpac.me/results/d8eaa599-a0c6-4186-98ec-89197b656341/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Diple
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

modi

rar badf84e3d02309b1580a7f069acb6672c7e7365add03478723757253645f230b

modi

Executable exe 78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3

(this sample)

  
Dropped by
MD5 0c07c75e834cb22a18b0751db2f2409a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 badf84e3d02309b1580a7f069acb6672c7e7365add03478723757253645f230b
Cape
Cape
https://www.capesandbox.com/analysis/71240/

Comments