MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99af8a4532410841d87e0840619d50b8726e15ea0ab397fd1d8c6e32bb286486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99af8a4532410841d87e0840619d50b8726e15ea0ab397fd1d8c6e32bb286486
SHA3-384 hash: 179e02de78e09e054409050927a8becfa402fec7e4db32df7a1770c8d2fa2cb291c3e0d3e19a382054e4ac33af824e20
SHA1 hash: 4bccc48eb61cea8152ff7e82c54263f113e7d43b
MD5 hash: 923a921ea3ca73b082fd95225105c852
humanhash: seventeen-wyoming-december-romeo
File name:docs-06.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:646'808 bytes
First seen:2020-10-16 14:06:24 UTC
Last seen:2020-10-16 15:15:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash af00c2cd3e1abe86ddbb239e27958d26 (6 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:BEu6Ai+3QzSx++O8AySJxv/EJIy3m8A71UzFvCM2T4F1smtv1mHRm4DhKte1NDG1:F6pexT1YJS8xZzet0mrNr9V
TLSH D4D48E66F2D1C837C373253C8C5B96B49825BD9D2F2569763AE83D8C5F393823429293
Reporter abuse_ch
Tags:exe geo ModiLoader Rackspace TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp89.iad3a.emailsrvr.com
Sending IP: 173.203.187.89
From: Mert DIKERLER <mert.dikerler@geodis.com>
Subject: Teklif talebi
Attachment: docs-06.zip (contains "docs-06.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72087/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493794
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299361 Sample: docs-06.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 37 style.ptbagasps.co.id 2->37 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Detected Remcos RAT 2->51 53 7 other signatures 2->53 9 docs-06.exe 1 15 2->9         started        14 Zfcadrv.exe 13 2->14         started        16 Zfcadrv.exe 13 2->16         started        signatures3 process4 dnsIp5 41 cdn.discordapp.com 162.159.134.233, 443, 49707 CLOUDFLARENETUS United States 9->41 35 C:\Users\user\AppData\Local\...\Zfcadrv.exe, PE32 9->35 dropped 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Creates a thread in another existing process (thread injection) 9->59 18 notepad.exe 4 9->18         started        20 ieinstal.exe 2 3 9->20         started        43 162.159.129.233, 443, 49721, 49726 CLOUDFLARENETUS United States 14->43 61 Multi AV Scanner detection for dropped file 14->61 63 Injects a PE file into a foreign processes 14->63 23 ieinstal.exe 14->23         started        45 192.168.2.1 unknown unknown 16->45 25 ieinstal.exe 16->25         started        file6 signatures7 process8 dnsIp9 27 cmd.exe 1 18->27         started        29 cmd.exe 1 18->29         started        39 style.ptbagasps.co.id 193.218.118.190, 42020, 49716, 49717 EPINATURAUA Ukraine 20->39 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99af8a4532410841d87e0840619d50b8726e15ea0ab397fd1d8c6e32bb286486/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 12:26:33 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgxyurjsieeedwd6bbagdhkqxbzg4fpkbkzzp7i5rrxdfozimsda._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
trojan family:modiloader persistence
Link:
https://tria.ge/reports/201016-ch3a81qb2a/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Modifies registry key
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
99af8a4532410841d87e0840619d50b8726e15ea0ab397fd1d8c6e32bb286486
MD5 hash:
923a921ea3ca73b082fd95225105c852
SHA1 hash:
4bccc48eb61cea8152ff7e82c54263f113e7d43b
Link:
https://www.unpac.me/results/2430a54e-9308-48a6-9fbb-df8a39aedf3b/
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/2430a54e-9308-48a6-9fbb-df8a39aedf3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99af8a4532410841d87e0840619d50b8726e15ea0ab397fd1d8c6e32bb286486

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip eb80a1b1c49c1af29918431775330aa484c6f9bfe4ebda53e42e3cb63593ee77

ModiLoader

Executable exe 99af8a4532410841d87e0840619d50b8726e15ea0ab397fd1d8c6e32bb286486

(this sample)

  
Dropped by
MD5 e2e34871d007d4cc41c239d22c0d102c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72087/
  
Dropped by
SHA256 eb80a1b1c49c1af29918431775330aa484c6f9bfe4ebda53e42e3cb63593ee77

Comments