MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e
SHA3-384 hash: f2a9043187cbc5c1be3aa29cf4bfb46a1dc2a0759e568089c534791f5fd91e691b817248bc1945e4d7aabd970e00cdc6
SHA1 hash: 5d9bbcea622a6b4bc8122b5d2ad0d6977df1252f
MD5 hash: 52e7e1291dab1a55f22d15412aad74a6
humanhash: bulldog-wisconsin-speaker-fourteen
File name:4mdmiys_Signed_.scr
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'384'792 bytes
First seen:2020-10-09 15:41:46 UTC
Last seen:2020-10-09 17:16:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d3e89b16ba0d66bb1ffb3848ff742e0 (4 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:ionlgoDygsQFgvMGgxZpjKvtg+7agQNVTIR+Qixf0BrdcyULy3jhpny23:iolgVfZvMhQRxW0Q69zyo
Threatray 989 similar samples on MalwareBazaar
TLSH 2D553912B2C18CF6D1F219399F16F2E8952DBE405D27AC473EE43A0DBE35251363629E
Reporter abuse_ch
Tags:ARE geo ModiLoader scr


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: host8.axxesslocal.co.za
Sending IP: 154.0.175.45
From: CCAvenue payment solutions <customerservice@ccavenue.ae>
Subject: UAE12321- رمز تسجيل دفع المرسل - CCAvenue Payment solutions
Attachment: 4mdmiys_Signed_pdf.img (contains "4mdmiys_Signed_.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69578/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486887
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295907 Sample: 4mdmiys_Signed_.scr Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->52 54 8 other signatures 2->54 8 Zmdmnek.exe 13 2->8         started        12 4mdmiys_Signed_.exe 1 15 2->12         started        15 Zmdmnek.exe 13 2->15         started        process3 dnsIp4 38 162.159.130.233, 443, 49774, 49777 CLOUDFLARENETUS United States 8->38 56 Antivirus detection for dropped file 8->56 58 Multi AV Scanner detection for dropped file 8->58 60 Machine Learning detection for dropped file 8->60 17 ieinstal.exe 8->17         started        40 discord.com 162.159.128.233, 443, 49745, 49746 CLOUDFLARENETUS United States 12->40 42 cdn.discordapp.com 162.159.135.233, 443, 49747 CLOUDFLARENETUS United States 12->42 34 C:\Users\user\AppData\Local\...\Zmdmnek.exe, PE32 12->34 dropped 62 Writes to foreign memory regions 12->62 64 Allocates memory in foreign processes 12->64 66 Creates a thread in another existing process (thread injection) 12->66 19 notepad.exe 4 12->19         started        21 ieinstal.exe 2 12->21         started        44 162.159.137.232, 443, 49775, 49776 CLOUDFLARENETUS United States 15->44 46 192.168.2.1 unknown unknown 15->46 68 Injects a PE file into a foreign processes 15->68 24 ieinstal.exe 15->24         started        file5 signatures6 process7 dnsIp8 26 cmd.exe 1 19->26         started        28 cmd.exe 1 19->28         started        36 194.5.97.73, 49770, 6890 DANILENKODE Netherlands 21->36 process9 process10 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 05:04:31 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnqmsznbijp7agkuzzvjc7fujbwvv5olg32tqizrhecc5izeuzha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
00a59bd4f68fa1f661435296736f595c1e20968ce22c21afc2f56099cbb2a600
ModiLoader
41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e
ModiLoader
7133d7e48e25500913021a3d2c6d4efa3d9ace18d9887cd899f64c3c598c037a
ModiLoader
8f3b6a725b06abd223aa214244ba4756cba52419dd116506744c386133a805fe
ModiLoader
91622a9d48459e615ea429ef8b03411ce90df650cedd5c451436ee36123593a9
ModiLoader
95935a1ae37717226eb2b3d7c53a97cdabe5e9b28d370237f7badef2820ff29b
ModiLoader
9ad8092ae1c55539b8e04822282bbc6a8c970b888664a0fd512ac2853736ff61
ModiLoader
c8b30a9f515a5568cc22aca8057a1923440516345a926e027baf3906615ce105
ModiLoader
e9bc7c1d038965bb247e69816fbcad2444766abd7082eade34eea3c641025f94
ModiLoader
fda7edab2bfba6005bc2f82548b9dcef7deec1fef238acc5fee12322d2b2629e
ModiLoader
+ 979 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201009-t44jn893hx/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e
MD5 hash:
52e7e1291dab1a55f22d15412aad74a6
SHA1 hash:
5d9bbcea622a6b4bc8122b5d2ad0d6977df1252f
Link:
https://www.unpac.me/results/7cf4ab40-c58d-42c7-a0b6-ad3958530e8c/
SH256 hash:
77f90e239bce6bba874a7ed61d575d1692718423ece813369626d7a888f6c0f9
MD5 hash:
ab61c665cfb948b0d06a9b0eea5fd355
SHA1 hash:
f6a1e7a4a1898808193553d0c84d055787609434
Detections:
win_dbatloader_g0
Create hunting rule
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/7cf4ab40-c58d-42c7-a0b6-ad3958530e8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img da1143ed1481ff1759194a2b8fe6f6897de624d926730779fc12c3b7686d559c

ModiLoader

Executable exe 9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e

(this sample)

  
Dropped by
MD5 da1431521817166739fc7188f992a2f8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69578/
  
Dropped by
SHA256 da1143ed1481ff1759194a2b8fe6f6897de624d926730779fc12c3b7686d559c

Comments