MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a6768e4157433dabc90663bb00e5f0ac8294d30409de6bcf57faed3fd1bf2f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a6768e4157433dabc90663bb00e5f0ac8294d30409de6bcf57faed3fd1bf2f0
SHA3-384 hash: d439d1d04a1dffc8e85e13302440d4e00b62cf70837c82e9233ce3f5554bedbaeda8078bdbe8f2a69aac3b59e2e303f3
SHA1 hash: 2fa91b6ba3169f98d38d4673dd9c6b758bc00147
MD5 hash: 873a35fe0ed3ac6bb326c71a2d951865
humanhash: utah-nevada-bulldog-beer
File name:Payment_details.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:626'328 bytes
First seen:2020-12-23 19:20:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3365f5f0a5c9d37739d88d8129eebf55 (3 x ModiLoader)
ssdeep 12288:B0O9si66PFSav1nfcja/P4Tulz6dOG6767a2SwiscMnw:B0a+6UOfCa/A/6767au2V
Threatray 1'486 similar samples on MalwareBazaar
TLSH 27D48E22B3D04977D513EE78BC4BA3B45829BD903D29A4467AE61DBC4F78350392F293
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mail0.fycompanies.com
Sending IP: 174.138.17.231
From: Manikandan Elumalai <info5@fycompanies.com>
Subject: Payment
Attachment: Payment_details.rar (contains "Payment_details.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
975
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_details.exe
Verdict:
Malicious activity
Analysis date:
2020-12-23 19:21:50 UTC
Tags:
rat remcos keylogger
Link:
https://app.any.run/tasks/180d7ee4-03ce-44c9-8837-86675388ac44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109231/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Connection attempt
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569414
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 333768 Sample: Payment_details.exe Startdate: 23/12/2020 Architecture: WINDOWS Score: 100 30 graceofgod1.ddns.net 2->30 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Detected Remcos RAT 2->46 48 10 other signatures 2->48 7 Payment_details.exe 1 16 2->7         started        12 Jvwvdvst.exe 14 2->12         started        14 Jvwvdvst.exe 14 2->14         started        signatures3 process4 dnsIp5 32 discord.com 162.159.135.232, 443, 49717, 49746 CLOUDFLARENETUS United States 7->32 34 cdn.discordapp.com 162.159.135.233, 443, 49718, 49740 CLOUDFLARENETUS United States 7->34 26 C:\Users\user\AppData\Local\...\Jvwvdvst.exe, PE32 7->26 dropped 50 Writes to foreign memory regions 7->50 52 Allocates memory in foreign processes 7->52 54 Creates a thread in another existing process (thread injection) 7->54 16 ieinstal.exe 2 3 7->16         started        36 162.159.138.232, 443, 49739 CLOUDFLARENETUS United States 12->36 56 Machine Learning detection for dropped file 12->56 58 Injects a PE file into a foreign processes 12->58 20 ieinstal.exe 12->20         started        38 162.159.130.233, 443, 49747 CLOUDFLARENETUS United States 14->38 40 192.168.2.1 unknown unknown 14->40 22 ieinstal.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 graceofgod1.ddns.net 198.12.76.78, 3335, 49732, 49735 AS-COLOCROSSINGUS United States 16->28 24 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 16->24 dropped file10
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8a6768e4157433dabc90663bb00e5f0ac8294d30409de6bcf57faed3fd1bf2f0/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 09:01:38 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjtwrzavoqz5vpeqmy53ads7blecstjqico6nphvp6xnh7i36lya._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2ccee108cf8e10eeef5129554e97fdb481d375475419be26cff2430360db2689
ModiLoader
2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09
ModiLoader
4284003dc87d3f8afa499b3edac620589dba8b1ac5d9a38d943dd0b381a473c5
ModiLoader
5fb4f85646ca28a28ebcbdf6abc944530a57222c7c57b90538a3fb1e436632d5
ModiLoader
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
ModiLoader
8a80a1c48400546143aced0396b65c1f689aaee44e5a53328c240e907557f554
ModiLoader
91ed2df39c53d7246eb84f3023072797925fa037f3a35c585247afc38322c649
ModiLoader
e7def582e6c764fb35cad598da8b83da969897d37241402df8c8bac2b870432f
ModiLoader
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
ModiLoader
e86d9b9cdf1f341e2c2f811a31d371204d181385f6c32282057b976d25f53591
ModiLoader
+ 1'476 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201223-cat9lwa3fj/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
8a6768e4157433dabc90663bb00e5f0ac8294d30409de6bcf57faed3fd1bf2f0
MD5 hash:
873a35fe0ed3ac6bb326c71a2d951865
SHA1 hash:
2fa91b6ba3169f98d38d4673dd9c6b758bc00147
Link:
https://www.unpac.me/results/709a2f64-2e63-45f6-9b8e-96e6a9915948/
SH256 hash:
b06a4efc54c88b3c247c357a33f21514ff0d73daf97e97123ea73c0b2f240ca7
MD5 hash:
8d8fa5c16a2acd19a360b59e07968f1c
SHA1 hash:
2dc5677e6a9701c9532cc6d443bd184d9cb1cbc9
Link:
https://www.unpac.me/results/709a2f64-2e63-45f6-9b8e-96e6a9915948/
SH256 hash:
87dacc4715da9b9bb9bd77881af22c6ea353c95e97fc779fd0798ef2acf667e8
MD5 hash:
c48129cb756c33cff2b1d53c97e33b10
SHA1 hash:
a8827d97dde1662f1dff203ec4455573d9337ad6
Link:
https://www.unpac.me/results/709a2f64-2e63-45f6-9b8e-96e6a9915948/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/8a6768e4157433dabc90663bb00e5f0ac8294d30409de6bcf57faed3fd1bf2f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar 292c8c1967b96a0386aa13e3f4663f75025a67aad2e6f13aa6b7e8aa95e195bc

ModiLoader

Executable exe 8a6768e4157433dabc90663bb00e5f0ac8294d30409de6bcf57faed3fd1bf2f0

(this sample)

  
Dropped by
MD5 c2a4d2f11bfcebb60083d015b74e6ce8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 292c8c1967b96a0386aa13e3f4663f75025a67aad2e6f13aa6b7e8aa95e195bc
Cape
Cape
https://www.capesandbox.com/analysis/109231/

Comments