MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142
SHA3-384 hash: 6f927bda1d4cb09f74351f391b0789e0fb259fb09d1f82469c1f2b2241daf7485c0b98a6152c9deeb757f64705cd28d6
SHA1 hash: ae8725377f8f3f389f438337485ed3158678cd78
MD5 hash: 2e4a22565f4b0d25114b3eb3c9bcf914
humanhash: london-mexico-victor-potato
File name:Xfltdrn_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:590'856 bytes
First seen:2020-10-06 21:28:26 UTC
Last seen:2020-10-06 22:39:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 670abb2f355225fa8d6e481bc6bb7364 (7 x ModiLoader, 1 x Loki)
ssdeep 12288:eP2oEhUMrM7FX/SdjY3ZrL26InkKVJxckI+OO:euzUMrYXaBKXSkKVAkIy
Threatray 972 similar samples on MalwareBazaar
TLSH B6C48D22B2925437C1331A788C6FA3EDBE26BF502D786C461BF81D0D5F39782791A197
Reporter GovCERT_CH

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68690/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Connection attempt
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483404
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294142 Sample: Xfltdrn_Signed_.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 42 u875414.nsupdate.info 2->42 44 u875414.duckdns.org 2->44 46 2 other IPs or domains 2->46 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 8 other signatures 2->70 9 Xfltdrn_Signed_.exe 1 15 2->9         started        14 Xfltnek.exe 13 2->14         started        16 Xfltnek.exe 13 2->16         started        signatures3 process4 dnsIp5 54 discord.com 162.159.135.232, 443, 49735, 49736 CLOUDFLARENETUS United States 9->54 56 cdn.discordapp.com 162.159.135.233, 443, 49737, 49771 CLOUDFLARENETUS United States 9->56 40 C:\Users\user\AppData\Local\...\Xfltnek.exe, PE32 9->40 dropped 72 Writes to foreign memory regions 9->72 74 Allocates memory in foreign processes 9->74 76 Creates a thread in another existing process (thread injection) 9->76 18 notepad.exe 4 9->18         started        21 ieinstal.exe 2 3 9->21         started        58 162.159.134.233, 443, 49765 CLOUDFLARENETUS United States 14->58 60 162.159.138.232, 443, 49763, 49764 CLOUDFLARENETUS United States 14->60 78 Antivirus detection for dropped file 14->78 80 Multi AV Scanner detection for dropped file 14->80 82 Injects a PE file into a foreign processes 14->82 24 ieinstal.exe 14->24         started        62 162.159.136.232, 443, 49768, 49770 CLOUDFLARENETUS United States 16->62 26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\Public38atso.bat, ASCII 18->38 dropped 28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        48 u875414.nsupdate.info 21->48 50 u875414.duckdns.org 21->50 52 3 other IPs or domains 21->52 file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 16:02:27 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pj7k4nvfjww2kvo3k66y6jheuofjwdyeglqt2gnrnnjy3226ifba._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0965f63851a278a87bc8886a5b370b150af79d91fb0177a85e181555784ad114
ModiLoader
37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f
ModiLoader
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
ModiLoader
54cdc9b1ede5661104e61f012de44e010500744c2b3003a6ffaff2f3f6eded34
ModiLoader
96359e31d13a327a3d1de808c5420193be3691628da4f409d8d5ed14be35b038
ModiLoader
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
ModiLoader
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
ModiLoader
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
ModiLoader
daca967edea399a394a8fc24d5ee647d95dc6dadd9dd21e2945ae7a742b3aed8
ModiLoader
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
ModiLoader
+ 962 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201006-rrplwnb6xn/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142
MD5 hash:
2e4a22565f4b0d25114b3eb3c9bcf914
SHA1 hash:
ae8725377f8f3f389f438337485ed3158678cd78
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/103166f4-aeb8-4e2d-bd4f-298e3d16c4ee/
SH256 hash:
f2dfcf2319839132b0d06585a79c7895524b870688cd07eabc9b40dbe9c5534f
MD5 hash:
48e9df002921d083caec06def209587e
SHA1 hash:
27c4660b5b9a074c7cb2d99a3b41399ac4b534ad
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/103166f4-aeb8-4e2d-bd4f-298e3d16c4ee/
SH256 hash:
62d60275931bea734e78203c2fc6d083104f2098b2eb1f61e9bd1ec44cb0c41c
MD5 hash:
57d2b7cf5d803f98b920d36599884dee
SHA1 hash:
695c8154f6d071298870f63f68f508bde5ce1970
Link:
https://www.unpac.me/results/103166f4-aeb8-4e2d-bd4f-298e3d16c4ee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ebd56347d1e374ad279984c4f6df48fdbbf86da5750f836e3d6c091a12a2ef49

ModiLoader

Executable exe 7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142

(this sample)

  
Dropped by
MD5 e7926abe1965de16dad99d68ac4acec9
  
Dropped by
SHA256 ebd56347d1e374ad279984c4f6df48fdbbf86da5750f836e3d6c091a12a2ef49
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68690/

Comments