MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 871f11c78d3f9bf94da3d5442f4fe2a3bfe6a3d26cf4768d70f9a37d58bac8d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 871f11c78d3f9bf94da3d5442f4fe2a3bfe6a3d26cf4768d70f9a37d58bac8d9
SHA3-384 hash: 5071c0ce0d061d1814e4a9ec700b0df364e4deafdb5ce24d5768152639b41082e71acf687fdb2bb702bf76ff8e5f8585
SHA1 hash: 92f47f5e871fd0b2eb290f4d45169815859d9729
MD5 hash: 7aae917eb0ec1711828ea7f39687c3e8
humanhash: north-hot-football-one
File name:7aae917eb0ec1711828ea7f39687c3e8.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'396'928 bytes
First seen:2020-11-25 06:50:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b3031dcaa001b5627964ad5d58c94df0 (1 x RemcosRAT, 1 x ModiLoader)
ssdeep 24576:W2VVkU9ePOc4YcpNB9TnBVU9B+J2QArjybPB6AI8HbWoAV:W0D0PzcV5gu4BYK
Threatray 1'464 similar samples on MalwareBazaar
TLSH 1A55C022B1518837C5277ABEDD2B92D96E75BE607C18664F3BF46C0C4F3AA807C25193
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546628
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322407 Sample: tzjEwwwbqK.exe Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 37 agentpapple.ac.ug 2->37 39 taenaia.ac.ug 2->39 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Remcos RAT 2->57 59 4 other signatures 2->59 9 tzjEwwwbqK.exe 1 15 2->9         started        14 Dfecdrv.exe 13 2->14         started        16 Dfecdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 45 cdn.discordapp.com 162.159.130.233, 443, 49710, 49728 CLOUDFLARENETUS United States 9->45 47 discord.com 162.159.136.232, 443, 49709 CLOUDFLARENETUS United States 9->47 35 C:\Users\user\AppData\Local\...\Dfecdrv.exe, PE32 9->35 dropped 61 Creates autostart registry keys with suspicious names 9->61 63 Writes to foreign memory regions 9->63 65 Allocates memory in foreign processes 9->65 18 ieinstal.exe 1 9->18         started        21 svchost.exe 5 9->21         started        49 162.159.137.232, 443, 49727, 49734 CLOUDFLARENETUS United States 14->49 67 Multi AV Scanner detection for dropped file 14->67 69 Creates a thread in another existing process (thread injection) 14->69 71 Injects a PE file into a foreign processes 14->71 23 ieinstal.exe 14->23         started        51 162.159.129.233, 443, 49735 CLOUDFLARENETUS United States 16->51 25 ieinstal.exe 16->25         started        file6 signatures7 process8 dnsIp9 41 agentpapple.ac.ug 18->41 43 taenaia.ac.ug 185.140.53.149, 49720, 49721, 49723 DAVID_CRAIGGG Sweden 18->43 27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/871f11c78d3f9bf94da3d5442f4fe2a3bfe6a3d26cf4768d70f9a37d58bac8d9/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 19:37:38 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4prdr4nh6n7stnd2vcc6t7cuo76ni6snt2hndlq7grx2wf2zdmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a7a9452a191d8f5777dfe22e71f043968d48fd013f158de638fbc6f32fe9999
ModiLoader
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ModiLoader
34d1451c8ac71d3eb9582092492d4b50a4202b962d8a7cff5cce9c93823aec5d
ModiLoader
7ff052b87f0dd31a5426fa0a03cc6618ecc6bc5b1b7cfeab12ee1adf5dbffd41
ModiLoader
ae4577de0e93d13f37be12a01ef37f25427124813afffb8ea0396efdd69d0f05
ModiLoader
c3daf1d20367ee0d7a849419594356ec6cad7c9169107b332c64ab67cb739823
ModiLoader
c686c7b2fff2ad2853c1d450d44fcf96ff3df67f34205b6b4e0352153893c924
ModiLoader
d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b
ModiLoader
eb77240415767631cd46725bf985bd034d5b005a939ea60785ebe2e45aa5541a
ModiLoader
f3453d83f263aa7665cb7398e7216db55cb8d7d75b8d45cdaf889c9265ba72fb
ModiLoader
+ 1'454 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/201125-bzmzfvsj76/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ServiceHost packer
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
871f11c78d3f9bf94da3d5442f4fe2a3bfe6a3d26cf4768d70f9a37d58bac8d9
MD5 hash:
7aae917eb0ec1711828ea7f39687c3e8
SHA1 hash:
92f47f5e871fd0b2eb290f4d45169815859d9729
Link:
https://www.unpac.me/results/8e5c8d41-42de-4da9-81a6-207c20f81818/
SH256 hash:
d988ecdebfa5959e787694ef2ba6935d3b989b0f682a44576018a71bf44a0a3c
MD5 hash:
97171efaab1275f8a570c77dde92e326
SHA1 hash:
3163e60cdd03336f87baebffbf867769e1521ff6
Link:
https://www.unpac.me/results/8e5c8d41-42de-4da9-81a6-207c20f81818/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Diple
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/871f11c78d3f9bf94da3d5442f4fe2a3bfe6a3d26cf4768d70f9a37d58bac8d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 871f11c78d3f9bf94da3d5442f4fe2a3bfe6a3d26cf4768d70f9a37d58bac8d9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/748738/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/831921/
  
URLhaus
https://urlhaus.abuse.ch/url/686530/
  
URLhaus
https://urlhaus.abuse.ch/url/447391/
Cape
Cape
https://www.capesandbox.com/analysis/105467/

Comments