MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8
SHA3-384 hash: 610e0e2834d4a3d993f8046f3be32131f3d8b309f63428aab625de9ce23313f5c46b94bbec1b6245c0fe276d8c9d47b8
SHA1 hash: c0de6974472ce32e950264eb18d30482b8a63f17
MD5 hash: fc81e5c400345c294fea71dc9bb58743
humanhash: indigo-neptune-ack-leopard
File name:SecuriteInfo.com.Win32.MalwareX-gen.17234.9253
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'180'160 bytes
First seen:2022-12-19 12:38:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f925da04d14a4f4c021d148f252df4b (1 x ModiLoader)
ssdeep 24576:b33CO9cRNkm1H2iAtGVNhMhtrjxLF7ZblNtapN:rCRvfh+1lLFran
Threatray 3'585 similar samples on MalwareBazaar
TLSH T11A45BF31AA404D3AD1E22A74881F575C58B67F113938AC8B7AEC7D8D8F756C1BB241B3
TrID 30.2% (.SCR) Windows screen saver (13097/50/3)
24.3% (.EXE) Win64 Executable (generic) (10523/12/4)
11.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 130b455565555555 (1 x ModiLoader)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.17234.9253
Verdict:
Malicious activity
Analysis date:
2022-12-19 12:42:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5bb3654c-69cc-40b1-809f-0e6476c940c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/347952/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.17234.9253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d176f0ea-a3ab-4f1e-a110-dea3d40aff74
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1137132
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Remcos
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 769859 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 19/12/2022 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 9 other signatures 2->82 10 Nynaivxr.exe 2->10         started        13 SecuriteInfo.com.Win32.MalwareX-gen.17234.9253.exe 1 22 2->13         started        process3 dnsIp4 100 Antivirus detection for dropped file 10->100 102 Multi AV Scanner detection for dropped file 10->102 104 Writes to foreign memory regions 10->104 17 colorcpl.exe 15 10->17         started        74 strassenburgpharma.biz 85.187.132.177, 443, 49695 A2HOSTINGUS United States 13->74 58 C:\Users\Public\Libraries\netutils.dll, PE32+ 13->58 dropped 60 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 13->60 dropped 62 C:\Users\Public\Libraries62ynaivxr.exe, PE32 13->62 dropped 64 C:\Users\...64ynaivxr.exe:Zone.Identifier, ASCII 13->64 dropped 106 Allocates memory in foreign processes 13->106 108 Creates a thread in another existing process (thread injection) 13->108 110 Injects a PE file into a foreign processes 13->110 21 cmd.exe 3 13->21         started        23 wscript.exe 13->23         started        file5 signatures6 process7 dnsIp8 66 www.hemidiindia.com 79.134.225.113, 49696, 49697, 5200 FINK-TELECOM-SERVICESCH Switzerland 17->66 68 geoplugin.net 178.237.33.50, 49698, 80 ATOM86-ASATOM86NL Netherlands 17->68 84 Maps a DLL or memory area into another process 17->84 86 Sample uses process hollowing technique 17->86 25 colorcpl.exe 17->25         started        28 colorcpl.exe 17->28         started        30 colorcpl.exe 17->30         started        40 26 other processes 17->40 88 Uses ping.exe to sleep 21->88 90 Drops executables to the windows directory (C:\Windows) and starts them 21->90 92 Uses ping.exe to check the status of other devices and networks 21->92 32 easinvoker.exe 21->32         started        34 PING.EXE 1 21->34         started        37 xcopy.exe 2 21->37         started        42 6 other processes 21->42 signatures9 process10 dnsIp11 94 Tries to steal Instant Messenger accounts or passwords 25->94 96 Tries to steal Mail credentials (via file / registry access) 25->96 44 cmd.exe 1 32->44         started        70 127.0.0.1 unknown unknown 34->70 54 C:\Windows \System32\easinvoker.exe, PE32+ 37->54 dropped 72 192.168.2.1 unknown unknown 40->72 98 Tries to harvest and steal browser information (history, passwords, etc) 40->98 56 C:\Windows \System32\netutils.dll, PE32+ 42->56 dropped file12 signatures13 process14 signatures15 112 Suspicious powershell command line found 44->112 114 Adds a directory exclusion to Windows Defender 44->114 47 powershell.exe 23 44->47         started        50 conhost.exe 44->50         started        process16 signatures17 116 DLL side loading technique detected 47->116 52 conhost.exe 47->52         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-12-19 07:54:57 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzqtjfbgojstubss3c3ucag6hr54zueu5ztlxqbrjz23e5wpwhea._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
139d0b13776f8fea46db2d77f0391b480cf290abcca453aacd2e003e7a618787
ModiLoader
1a9449eb429ea1c829080ee13d587a0c799f8ee4f4dca0182f446ce3baa92514
ModiLoader
1eb85ede00f809ba0f2ae9ea64c78615705f7314f31934887849c60f86b6505e
ModiLoader
397af187b4af99bc3700f3b6e34bcd13120e10397840b25df3698fc3234c8aad
ModiLoader
4a8195f159274fb6b2edf61864824e9c686398ce60df94d23fabb21c48d57499
ModiLoader
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
ModiLoader
9735527911fe79127bb4cac6cab68bb6e3da29592921e1cfbfcd496245aeb74f
ModiLoader
a97f182e8e7da0854b932b946352626e4c94c6f1319ea6ddf5cefa854af93bd7
ModiLoader
c751eef24ba7492781e43c5034f1175ec098ebc72602e68822fd4c09cac0b9bb
ModiLoader
c8f7124c43eb317024e9e329f6a05b8e278b3c6ac99a2f202406b719dbb815ca
ModiLoader
+ 3'575 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:yak-hamid-india collection persistence rat trojan
Link:
https://tria.ge/reports/221219-pvl7xafa32/
Behaviour
Enumerates system info in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ModiLoader Second Stage
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
www.hemidiindia.com:5200
Unpacked files
SH256 hash:
5c0bb8c08ab92a5cb3e73dc113f15107282212f1f34bdce9901580616a995e83
MD5 hash:
6b3987618d23e4679ff79464f92a35f9
SHA1 hash:
d1f3fdccfc45cbf91dc779fce7f3461fb0911f5f
Link:
https://www.unpac.me/results/7da1d354-e515-4e03-9e28-72213235495f/
SH256 hash:
ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8
MD5 hash:
fc81e5c400345c294fea71dc9bb58743
SHA1 hash:
c0de6974472ce32e950264eb18d30482b8a63f17
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/7da1d354-e515-4e03-9e28-72213235495f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae6134942672/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ae6134942672653a0652d8b74100de3c7bccd094ee66bbc0314e75b276cfb1c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/347952/

Comments