MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a
SHA3-384 hash: 26ad2c2d4784cb04be288d2259a573cf87bf3947db3a1765c6ca1d4200b0665768653fd0e707a7c1502733e4a8d08cd0
SHA1 hash: 5dfb0ca60fc82d423da211d2397d4a39a4ed7587
MD5 hash: 291110d28eb31d044e1ef45306aaebc5
humanhash: lactose-magnesium-saturn-pip
File name:pdf.com
Download: download sample
Signature ModiLoader
Create hunting rule
File size:135'168 bytes
First seen:2021-09-09 14:20:19 UTC
Last seen:2021-09-09 15:29:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f338292a00d36b453ee9659a9f860838 (1 x ModiLoader)
ssdeep 1536:+pkpKajAUS5bpaKdGrhj0ekwF7naYeWe5VyKL3NPLPSMVjfVCbh7hUYvkc0BE:YajAt5VFdMTRapWepLdjlLWtp1eE
Threatray 5'693 similar samples on MalwareBazaar
TLSH T166D38C48F697EF2DF970D2F40467C365C5116891E5C67682BF3D298C6F236A037AB214
dhash icon 8eb069696169f8c4 (1 x ModiLoader, 1 x GuLoader)
Reporter GovCERT_CH
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pdf.com
Verdict:
No threats detected
Analysis date:
2021-09-09 14:24:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcc8eebe-9cdc-431f-924b-e07aff1b84e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186684/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37558355.4983.30702.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7551fb91-4af0-4e5c-ab47-d08874631691
Result
Threat name:
GuLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848166
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
GuLoader behavior detected
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a/
Threat name:
Win32.Trojan.Mucc
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 01:55:17 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zi4lywtucz5xsmo3idfqbztqo45ws3pyylpq2f3wdm4kthkasqna._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
38da1c4dabd3275256a93bc7321267979802c35ec2cbd1ecef7a5ad18a61afad
ModiLoader
43e203e8ba3259f1130a9c158dbc20ac44b2d0ec183004eab3305c73ba6afdef
ModiLoader
5191e0986f9d1886402809cdee8aa3b8f50bac0c36813efc602e3d5e59b9d1ec
ModiLoader
643d70b162fbca24123f8c5ad6bab6fb1aa6166fb66a414910a5b78bd68320cf
ModiLoader
87284733f84447db5f12697e7ce2fb44671cbf404e040cf85085b223eab02b95
ModiLoader
d660500c553676fcad1d6b2847022578ed20676190b5ed5687cd15d19e98e862
ModiLoader
+ 5'683 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:modiloader downloader persistence trojan
Link:
https://tria.ge/reports/210909-rnzkrsgce6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks QEMU agent file
Guloader,Cloudeye
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a
MD5 hash:
291110d28eb31d044e1ef45306aaebc5
SHA1 hash:
5dfb0ca60fc82d423da211d2397d4a39a4ed7587
Link:
https://www.unpac.me/results/0042947f-2308-4bf3-9d99-fded3b9bb248/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe ca38bc5a74167b7931db40cb00e670773b696df8c2df0d17761b38a99d40941a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/186684/

Comments