MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f
SHA3-384 hash: dfd85409821854616c58bc9acaa626bd6442648769d7b00af704ca166210c0328b4a77f25fd723368533561d99b3738a
SHA1 hash: 7c2a443c035a12844a23e997fb516a156d889f92
MD5 hash: 234c7ed18a7ea1b5ada06bad5388cf3f
humanhash: nine-spaghetti-quebec-fish
File name:ESTRATTO CONTO DHL-1301383112.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'221'120 bytes
First seen:2020-10-08 17:41:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 624fe783ce1fbfc247a3c0409d1b1239 (6 x ModiLoader)
ssdeep 12288:0pP5SyQ9wblP2AB469py931hFrPRDfI4xZLx7kX8wp0vx7yUD0+:0pR26vZy93NpTjxjkMwp0
Threatray 975 similar samples on MalwareBazaar
TLSH 0D456D12B291CC36C1E22A749C4FC6B89926BE403D27A94736E43F4DBF797513839297
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: cloudhost-1457425.us-midwest-1.nxcli.net
Sending IP: 8.29.157.202
From: InvoiceQuery@dhl.com
Subject: ESTRATTO CONTO DHL-1301383112
Attachment: ESTRATTO CONTO DHL-1301383112.iso (contains "ESTRATTO CONTO DHL-1301383112.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69317/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485861
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295373 Sample: ESTRATTO CONTO DHL-1301383112.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 6 ESTRATTO CONTO DHL-1301383112.exe 1 15 2->6         started        11 Ebtnnek.exe 13 2->11         started        13 Ebtnnek.exe 13 2->13         started        process3 dnsIp4 27 cdn.discordapp.com 162.159.133.233, 443, 49725 CLOUDFLARENETUS United States 6->27 29 discord.com 162.159.136.232, 443, 49722, 49723 CLOUDFLARENETUS United States 6->29 25 C:\Users\user\AppData\Local\...btnnek.exe, PE32 6->25 dropped 49 Writes to foreign memory regions 6->49 51 Allocates memory in foreign processes 6->51 53 Creates a thread in another existing process (thread injection) 6->53 15 ieinstal.exe 2 3 6->15         started        31 162.159.128.233, 443, 49741, 49742 CLOUDFLARENETUS United States 11->31 33 162.159.130.233, 443, 49743 CLOUDFLARENETUS United States 11->33 55 Antivirus detection for dropped file 11->55 57 Multi AV Scanner detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 19 ieinstal.exe 11->19         started        35 162.159.129.233, 443, 49748 CLOUDFLARENETUS United States 13->35 21 ieinstal.exe 13->21         started        file5 signatures6 process7 dnsIp8 37 incidencias6645.ddns.net 79.134.225.83, 49738, 49762, 8638 FINK-TELECOM-SERVICESCH Switzerland 15->37 39 192.168.2.1 unknown unknown 15->39 23 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 15->23 dropped file9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f/
Threat name:
Win32.Trojan.RemcosCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 11:47:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6mnjpbgklufbgkiyuthb42pfzmrjhfsv36gbzeg6akp7iiso4pq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4
ModiLoader
4f36a71d9195b8639ff47c95e8980ee7f0f5a22371e75e91042c4ad10de1b39c
ModiLoader
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
ModiLoader
791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4
ModiLoader
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
ModiLoader
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
ModiLoader
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
ModiLoader
daca967edea399a394a8fc24d5ee647d95dc6dadd9dd21e2945ae7a742b3aed8
ModiLoader
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
ModiLoader
fda7edab2bfba6005bc2f82548b9dcef7deec1fef238acc5fee12322d2b2629e
ModiLoader
+ 965 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201008-q7v8pekg4e/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f
MD5 hash:
234c7ed18a7ea1b5ada06bad5388cf3f
SHA1 hash:
7c2a443c035a12844a23e997fb516a156d889f92
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/8fc65af7-88a3-47ce-9247-cf14f6ae5863/
SH256 hash:
61f51a9fb6b5c468715fd8e65cf641773fd78d67e99480ceb724fed14078648f
MD5 hash:
5217ab36577275e1816b14b0295e9c60
SHA1 hash:
06714ad669e42c63ae4fb0106b0aeec27d62fa19
Detections:
win_dbatloader_g0
Create hunting rule
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/8fc65af7-88a3-47ce-9247-cf14f6ae5863/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 53087e70f2b3875dd24b3575adfbb19d07aea6849ae4524980e976f580a116e5

ModiLoader

Executable exe a798d4bc2652e8509948c52670f34f2e59149cb2aefc60e486f014ffa112771f

(this sample)

  
Dropped by
MD5 fd87c7727302d916b96175d4d2153db8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69317/
  
Dropped by
SHA256 53087e70f2b3875dd24b3575adfbb19d07aea6849ae4524980e976f580a116e5

Comments