MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e
SHA3-384 hash: 07bc022abc2ec2621202fe4064a1748ddcf08a1c830b4f61b93e20aae593ab5a96de10515c6022bf4cf800409ffdd13a
SHA1 hash: 7ba3f5012e9672069493bc25a2b1ce01946ed68f
MD5 hash: 79e5648312a58377ef76d2346404ef12
humanhash: fanta-two-utah-maine
File name:79e5648312a58377ef76d2346404ef12.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:801'792 bytes
First seen:2023-08-02 09:09:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e06c93dcf3919c71d43e1595ee9d9a7 (2 x ModiLoader)
ssdeep 12288:7q9zUX+2NAOdFyglsKMlCbuGg4Ut8wNCPAJFfriiiag72asGS99Spo+:uF8NAOLyglAlCb7gX/NCoziiiXDp
Threatray 2'359 similar samples on MalwareBazaar
TLSH T10005C02672A0D433E21B2C35C95BE3B484697D342F34A4797AC57E9CBB7E78228241D7
TrID 30.5% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 80b4f0c4e4d2d400 (3 x ModiLoader, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Company Profile - CHUKYO SL CO., LTD.doc
Verdict:
Malicious activity
Analysis date:
2023-08-02 06:25:00 UTC
Tags:
ole-embedded opendir loader dbatloader keylogger rat remcos remote
Link:
https://app.any.run/tasks/5352cc9a-0e12-47cf-b4d2-606baf0919de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439820/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.10406.13930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Searching for the window
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/64ca1d3b88dd49b8cef6e793/reports/47022463-63e2-46ad-89e2-db4382172b89/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38f88ce2-6c08-4c91-8528-a21c584a5ee2
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284284
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1284284 Sample: e50YC8LCQh.exe Startdate: 02/08/2023 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 8 other signatures 2->75 10 e50YC8LCQh.exe 1 7 2->10         started        15 Jqmyxoiw.PIF 2->15         started        process3 dnsIp4 59 travelinspiration.sa.com 172.93.123.137, 49715, 49718, 80 HOST4GEEKS-LLCUS United States 10->59 45 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->45 dropped 47 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->47 dropped 49 C:\Users\Public\Libraries\Jqmyxoiw.PIF, PE32 10->49 dropped 83 Drops PE files with a suspicious file extension 10->83 85 Writes to foreign memory regions 10->85 87 Allocates memory in foreign processes 10->87 93 2 other signatures 10->93 17 cmd.exe 3 10->17         started        20 colorcpl.exe 5 14 10->20         started        89 Multi AV Scanner detection for dropped file 15->89 91 Machine Learning detection for dropped file 15->91 23 colorcpl.exe 15->23         started        file5 signatures6 process7 dnsIp8 63 Uses ping.exe to sleep 17->63 65 Drops executables to the windows directory (C:\Windows) and starts them 17->65 67 Uses ping.exe to check the status of other devices and networks 17->67 25 easinvoker.exe 17->25         started        27 PING.EXE 1 17->27         started        30 xcopy.exe 2 17->30         started        33 6 other processes 17->33 55 20.214.203.178, 4034, 49716 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->55 57 geoplugin.net 178.237.33.50, 49717, 80 ATOM86-ASATOM86NL Netherlands 20->57 signatures9 process10 dnsIp11 35 cmd.exe 1 25->35         started        61 127.0.0.1 unknown unknown 27->61 51 C:\Windows \System32\easinvoker.exe, PE32+ 30->51 dropped 53 C:\Windows \System32\netutils.dll, PE32+ 33->53 dropped file12 process13 signatures14 77 Suspicious powershell command line found 35->77 79 Adds a directory exclusion to Windows Defender 35->79 38 powershell.exe 21 35->38         started        41 conhost.exe 35->41         started        process15 signatures16 81 DLL side loading technique detected 38->81 43 conhost.exe 38->43         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-08-02 06:28:49 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvjx4zkrwkzsoskcvimessp5uaiobqvbuxhjxcrzetzuw3tzvwpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
08ebb1861d8ba3d60d87967ec99a106a288119c1f871bc08bae31e55cee745cd
ModiLoader
4038439ae519453da6ef2075154a367f29889fd0d085b588f02f2e20feaf25ab
ModiLoader
4705d0455f510489e38077583207db8f77ceb5c6283b130fb24dcd82f8bbc4bd
ModiLoader
4b402fc22d549d386739470a310d2b3df617cea9667d950fe26fd58f49cd89e4
ModiLoader
90399d618bfbcf4d3adf3abebad223be29ef4a310b486d7f7e5b8bc3b2a00416
ModiLoader
9e0e03b59e2a06a0c63e11e5c031aca3cda0119b77d90e256e45aab01830e827
ModiLoader
bdb1c780b6be528e436a70faf51d5e3b4f888afedcfd862bdd26af41ff333f42
ModiLoader
+ 2'349 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230802-k4glkadh28/
Behaviour
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
fe7fcf48d06a26bb42f5c8c8760947f8af8510b00bd1aaf57d9f13a2eb79623c
MD5 hash:
4fbcf31e8151a64bbf6f08f3beef8cc0
SHA1 hash:
0e7666463b0e2da077aefd6b447a2c428512de79
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/f9609455-3e18-4cc0-ab29-87b8c9f6e274/
SH256 hash:
7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e
MD5 hash:
79e5648312a58377ef76d2346404ef12
SHA1 hash:
7ba3f5012e9672069493bc25a2b1ce01946ed68f
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/f9609455-3e18-4cc0-ab29-87b8c9f6e274/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d537e6551b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2695813/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/439820/

Comments