MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03
SHA3-384 hash: fe71eae1cad39b6fe1a9f1fd0e8bffde94faacb6076a10203e5fb7e1a8e8b30b00bacbf5275c5b405a1bc823ff261cd5
SHA1 hash: cb02dc5b85a4f95d0c69f09a59c0e89750537704
MD5 hash: a302d334cdb587b78e4c0755b8c5c679
humanhash: freddie-nitrogen-cold-yankee
File name:Purchase Order 35.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'119'232 bytes
First seen:2020-10-23 13:19:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c69785fe9cbd1d77d7a9bfb5553fbd19 (4 x ModiLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:j8xnrNVGQcigXmng7X+XmYWGQO7lGcRvR+ec0X6Dm9tEx6/nl6weV+8YZqckawUS:eriQciDnQ9YWmRnfxyi0luk
Threatray 1'027 similar samples on MalwareBazaar
TLSH AB358D21B291CB37D0779AF54C16B77899A5BE00ED247C86F6ACEC485F35DC0782B1A2
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mailserver59.parsdata.com
Sending IP: 185.128.81.59
From: Kapolis Schneider <info@arzinbooks.com>
Reply-To: abujafirms1@gmail.com
Subject: Purchase Order
Attachment: Purchase Order 35.gz (contains "Purchase Order 35.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75055/
Detection(s):
SecuriteInfo.com.Fareit-FZO345F40C742FA.17750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508147
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 303194 Sample: Purchase Order 35.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 30 cdn.onenote.net 2->30 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Detected Remcos RAT 2->44 46 7 other signatures 2->46 7 Purchase Order 35.exe 1 15 2->7         started        12 Xkjydrv.exe 13 2->12         started        14 Xkjydrv.exe 13 2->14         started        signatures3 process4 dnsIp5 32 discord.com 162.159.128.233, 443, 49713, 49733 CLOUDFLARENETUS United States 7->32 34 cdn.discordapp.com 162.159.130.233, 443, 49714 CLOUDFLARENETUS United States 7->34 26 C:\Users\user\AppData\Local\...\Xkjydrv.exe, PE32 7->26 dropped 48 Writes to foreign memory regions 7->48 50 Creates a thread in another existing process (thread injection) 7->50 52 Injects a PE file into a foreign processes 7->52 16 ieinstal.exe 2 3 7->16         started        36 162.159.134.233, 443, 49735 CLOUDFLARENETUS United States 12->36 54 Multi AV Scanner detection for dropped file 12->54 20 ieinstal.exe 12->20         started        38 162.159.135.233, 443, 49739 CLOUDFLARENETUS United States 14->38 22 ieinstal.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 185.19.85.179, 2021, 49721 DATAWIRE-ASCH Switzerland 16->28 24 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 16->24 dropped file10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 13:06:51 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5bf5oh5csoqa25d2sic7ahsjteby7sccx3gmrfxadnfwwso3ubq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
046ff9f608525faf76e353263ddad485e547ff4797b183ddd850f0f2c8209f91
ModiLoader
4776e02c6cd50638e0cfafc99146fd9296dea093143b7135a4d32e0767673c95
ModiLoader
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
ModiLoader
65228df6e85371a2b4b1e5340f11e36cdc94f8b39bda216c0ed143eaac36912b
ModiLoader
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
ModiLoader
82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b
ModiLoader
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
ModiLoader
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
ModiLoader
dc1c1c501965a46f02d345785cd1ec1f9bdb74f2defe3402c9e2b4a6f0959b8a
ModiLoader
e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e
ModiLoader
+ 1'017 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201023-ekv35chxxj/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03
MD5 hash:
a302d334cdb587b78e4c0755b8c5c679
SHA1 hash:
cb02dc5b85a4f95d0c69f09a59c0e89750537704
Link:
https://www.unpac.me/results/ec4592a8-2207-4867-8ae2-63f8086369da/
SH256 hash:
6f9d3c18a0e0e4fe34a5650b380f05c9120b0cb89c082159fd1f5f495f3167c6
MD5 hash:
8420182cacaae577e7800659862b37f3
SHA1 hash:
b27a5112eba61e56a06ff3f4e1a99c00f34cb680
Link:
https://www.unpac.me/results/ec4592a8-2207-4867-8ae2-63f8086369da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c41e8b05adbd37110d5091189261a03f

ModiLoader

Executable exe 9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03

(this sample)

  
Dropped by
MD5 c41e8b05adbd37110d5091189261a03f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75055/

Comments