MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf56d40820f28706fb10861096441d0ec597471ee24ac595707d314d431a6f75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf56d40820f28706fb10861096441d0ec597471ee24ac595707d314d431a6f75
SHA3-384 hash: e1b188a3b3995a23ad7b38fa688a8f795c6c514a914a4937b368647291c7bd5d269afe03c9f3256384702498f44db4bb
SHA1 hash: 7db999c6530d151f3c2b4fa07a0f45431fe9b198
MD5 hash: d8600e23b92b92cea86668d1c1ee7543
humanhash: iowa-romeo-whiskey-delta
File name:d8600e23b92b92cea86668d1c1ee7543.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:646'808 bytes
First seen:2020-10-16 18:00:50 UTC
Last seen:2020-10-16 19:22:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash af00c2cd3e1abe86ddbb239e27958d26 (6 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:BEu6Ai+3QzSx++O8AySJxv/EJIy3m8A71UzFvCM2T4F1smtv1mHRm4DhKte1NDGg:F6pexT1YJS8xZzet0mqNr9V
Threatray 351 similar samples on MalwareBazaar
TLSH B6D48E66F2D1C877C373253C8C5B86B49825BD9D2F2568763AE83D8C5F397823429293
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72241/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494101
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299504 Sample: Svt9048pav.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 40 agentpapple.ac.ug 2->40 42 taenaia.ac.ug 2->42 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Remcos RAT 2->56 58 4 other signatures 2->58 9 Svt9048pav.exe 1 15 2->9         started        14 Ghmwdrv.exe 13 2->14         started        16 Ghmwdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 48 cdn.discordapp.com 162.159.129.233, 443, 49730 CLOUDFLARENETUS United States 9->48 38 C:\Users\user\AppData\Local\...behaviorgraphhmwdrv.exe, PE32 9->38 dropped 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Creates a thread in another existing process (thread injection) 9->64 18 notepad.exe 4 9->18         started        21 ieinstal.exe 1 9->21         started        50 162.159.134.233, 443, 49747, 49752 CLOUDFLARENETUS United States 14->50 66 Multi AV Scanner detection for dropped file 14->66 68 Injects a PE file into a foreign processes 14->68 24 ieinstal.exe 14->24         started        file6 signatures7 process8 dnsIp9 36 C:\Users\Public36atso.bat, ASCII 18->36 dropped 26 cmd.exe 1 18->26         started        28 cmd.exe 1 18->28         started        44 agentpapple.ac.ug 21->44 46 taenaia.ac.ug 79.134.225.121, 49744, 49749, 49750 FINK-TELECOM-SERVICESCH Switzerland 21->46 file10 process11 process12 30 conhost.exe 26->30         started        32 reg.exe 1 1 26->32         started        34 conhost.exe 28->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf56d40820f28706fb10861096441d0ec597471ee24ac595707d314d431a6f75/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 18:02:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5lnicba6kdqn6yqqyijmra5b3czory64jfmlflqpuyu2qy2n52q._file
Verdict:
suspicious
Similar samples:
4284003dc87d3f8afa499b3edac620589dba8b1ac5d9a38d943dd0b381a473c5
ModiLoader
46ff7f6619eda7e3b2c5b36a2d3f21b154749d31ae2695c4d23c992361ce1f58
ModiLoader
69a218fceba737bcd30936ae7e3404544c9976c0db63be7ad2c7e950677a9e16
ModiLoader
6b821b358a92094bf1218d5a455e7205efeda83a4b4247d010a86b77e284ee75
ModiLoader
6e65a5004779b795ed2d4b95d428083f4cdecf2f0d7880c11080040ed2b250b9
ModiLoader
74b843d9cabf046a044581d20033d93eecf9d8ea590ce9557569e40d990e6241
ModiLoader
cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529
ModiLoader
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
ModiLoader
e8001e686b3c1972277296e3ed20992b8fd67e7c7f8dc16a827e09d3f22b02e0
ModiLoader
fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850
ModiLoader
+ 341 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201016-wly36kllzn/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
bf56d40820f28706fb10861096441d0ec597471ee24ac595707d314d431a6f75
MD5 hash:
d8600e23b92b92cea86668d1c1ee7543
SHA1 hash:
7db999c6530d151f3c2b4fa07a0f45431fe9b198
Link:
https://www.unpac.me/results/025c08a6-1dc0-4f9e-8816-7c059947f208/
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/025c08a6-1dc0-4f9e-8816-7c059947f208/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf56d40820f28706fb10861096441d0ec597471ee24ac595707d314d431a6f75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe bf56d40820f28706fb10861096441d0ec597471ee24ac595707d314d431a6f75

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/72241/
  
URLhaus
https://urlhaus.abuse.ch/url/572760/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/572754/
  
URLhaus
https://urlhaus.abuse.ch/url/447391/
  
URLhaus
https://urlhaus.abuse.ch/url/686530/

Comments