MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
SHA3-384 hash: 5cf09b986fee001a7502f46cc15411044b5823f9db618225fed796d90b2fb302b1bcfad3d6530c6031ec2ecd53635554
SHA1 hash: 9a837c5acb29a5c4aead790a4a40e5cf37aad068
MD5 hash: 0d9e4856916c7ca35d85f2b19240572f
humanhash: wolfram-maryland-march-queen
File name:DHL_77232.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'241'792 bytes
First seen:2020-11-04 15:08:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb7f24d623823df7a34ad95dfb8bfd95 (15 x ModiLoader, 1 x AveMariaRAT, 1 x Loki)
ssdeep 24576:g0S5Bo6taFaaRKDZAI89d6yzEJR4mpQSMdVHfoj:gpjExRbzEJumpRMdE
Threatray 1'007 similar samples on MalwareBazaar
TLSH BD455A72FA40D431E42229755D1BC6FCA43ABD702D24940A7BE9EF5C2E362D3B936247
Reporter James_inthe_box
Tags:exe ModiLoader

Code Signing Certificate

Organisation:Microsoft Time-Stamp Service
Issuer:Microsoft Time-Stamp PCA
Algorithm:sha1WithRSAEncryption
Valid from:Sep 7 17:58:55 2016 GMT
Valid to:Sep 7 17:58:55 2018 GMT
Serial number: 33000000CA7D32167C7EFD05030000000000CA
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 375A80AE663EDF24E46C4F5F48863018C3E54EC04580E014F7A7B67B4A405A1D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82941/
Detection(s):
SecuriteInfo.com.Fareit-FZO82C53D0CF1F4.16975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos ModiLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520320
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected ModiLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309258 Sample: DHL_77232.exe Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 10 other signatures 2->57 8 DHL_77232.exe 1 16 2->8         started        13 Jwsddrv.exe 14 2->13         started        15 Jwsddrv.exe 13 2->15         started        process3 dnsIp4 47 cdn.discordapp.com 162.159.134.233, 443, 49720, 49736 CLOUDFLARENETUS United States 8->47 39 C:\Users\user\AppData\Local\...\Jwsddrv.exe, PE32 8->39 dropped 59 Writes to foreign memory regions 8->59 61 Allocates memory in foreign processes 8->61 63 Creates a thread in another existing process (thread injection) 8->63 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 3 8->20         started        49 162.159.130.233, 443, 49730 CLOUDFLARENETUS United States 13->49 65 Multi AV Scanner detection for dropped file 13->65 67 Injects a PE file into a foreign processes 13->67 23 ieinstal.exe 13->23         started        25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        41 boot.awsmppl.com 185.244.30.217, 2266, 49728, 49731 DAVID_CRAIGGG Netherlands 20->41 43 coolta71.com 20->43 45 4 other IPs or domains 20->45 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 15:07:31 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=voied7t6bjfehfjb23vqdtaw25gabiccpsdlazysblcfhottfhmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0357b2aed154c5d1c335723481cdb1fb13fe5ceb50cf9e35a5007469528e38d9
ModiLoader
0abf0f61f1a7805aedb6e7b825de9ab83042f00d7ed6f0af817e45fe5c67c7bd
ModiLoader
14a8520afb80692ed77075a5a9e797fa2822a91e5eb43603762669fb65ef2144
ModiLoader
4707d12ac7c445123243c1106f805600be99b1201ddd94e131c569d86b586bf2
ModiLoader
4cc2e534b544c2bd3b2508959965c9b11f9b7c6ce341332e6aab3509af066cde
ModiLoader
5b6f4a000f03183f2bbbebf07130189f5f5b9617dba37f9b90980ec228ba8180
ModiLoader
77d6912281d64f3630f1d1361c33e5f2eb10ecc7100b44d2c05fdc37ac9d7da4
ModiLoader
7ad833f9f06a7ebbad69a40515654c8a7a1b3346cf93214e2638e33901133409
ModiLoader
97b34cb713e879fb7cfe158a3180b73d1c71b71446368f242a0c004d0c3462dd
ModiLoader
f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca
ModiLoader
+ 997 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201104-ccndx23pfs/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
MD5 hash:
0d9e4856916c7ca35d85f2b19240572f
SHA1 hash:
9a837c5acb29a5c4aead790a4a40e5cf37aad068
Link:
https://www.unpac.me/results/3ccca26c-7f91-47ae-a91c-82f57f339315/
SH256 hash:
42331552c030cab8b58efd8b8136eb1aa911879a31e4a6835a5b55699db2e871
MD5 hash:
877069119a600c8726568916230c3177
SHA1 hash:
3ccd914be51ffb58d90e7a3506e84dc632186d76
Link:
https://www.unpac.me/results/3ccca26c-7f91-47ae-a91c-82f57f339315/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/82941/

Comments