MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529
SHA3-384 hash: dc504741578130c46f253c080572c1a5fcd39a63289bbaf5ac81bcc01dd28585c0bfcc80e61ef063cc961e4129cc43be
SHA1 hash: d2c744bc486d13d8a7f4fcf86109e864ad19e0f7
MD5 hash: afdf2f3253c6d08b717e7b9e99033e11
humanhash: ack-lima-green-chicken
File name:Tgdzbcw_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'050'776 bytes
First seen:2020-10-16 10:23:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:9FT7lBs40jT0sUbtpW/nAOPq3Sp585n7nLT6USE/7LYUx5t8SH1V:9vBsxTEi5Q7nLT6USE/7kUPtF
Threatray 351 similar samples on MalwareBazaar
TLSH 7625CF31F3E2CA36E25715318C2B5BB9A532BE001924945A76E63C4DAF367F079392D3
Reporter abuse_ch
Tags:exe ModiLoader UPS


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: hardcore-gould.52-165-237-63.plesk.page
Sending IP: 40.77.27.88
From: UPS Customer Service <customer@ups.com>
Subject: UPS - Pending delivery
Attachment: File_details.iso (contains "Tgdzbcw_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71893/
Detection(s):
SecuriteInfo.com.Artemis5F81083596A0.8651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493376
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299138 Sample: Tgdzbcw_Signed_.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Detected Remcos RAT 2->60 62 6 other signatures 2->62 8 Tgdzbcw_Signed_.exe 1 15 2->8         started        13 Tgdzdrv.exe 13 2->13         started        15 Tgdzdrv.exe 13 2->15         started        process3 dnsIp4 46 cdn.discordapp.com 162.159.134.233, 443, 49734 CLOUDFLARENETUS United States 8->46 48 discord.com 162.159.137.232, 443, 49732, 49733 CLOUDFLARENETUS United States 8->48 42 C:\Users\user\AppData\Local\...\Tgdzdrv.exe, PE32 8->42 dropped 64 Writes to foreign memory regions 8->64 66 Allocates memory in foreign processes 8->66 68 Creates a thread in another existing process (thread injection) 8->68 70 Injects a PE file into a foreign processes 8->70 17 notepad.exe 4 8->17         started        20 ieinstal.exe 8->20         started        50 162.159.129.233, 443, 49752 CLOUDFLARENETUS United States 13->50 72 Multi AV Scanner detection for dropped file 13->72 22 ieinstal.exe 13->22         started        52 162.159.135.233, 443, 49757 CLOUDFLARENETUS United States 15->52 24 ieinstal.exe 15->24         started        file5 signatures6 process7 file8 40 C:\Users\Public40atso.bat, ASCII 17->40 dropped 26 cmd.exe 1 17->26         started        28 cmd.exe 1 17->28         started        30 WerFault.exe 9 20->30         started        process9 dnsIp10 34 conhost.exe 26->34         started        36 reg.exe 1 1 26->36         started        38 conhost.exe 28->38         started        54 192.168.2.1 unknown unknown 30->54 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 30->44 dropped file11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 18:55:24 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zoajliek2zfgqeopwai5w333zf7sdzczzjstqisrx3evz7i5suuq._file
Verdict:
malicious
Similar samples:
44959082a4d86b4b782a2d860658e304025d34863398da161e39ba57a7e2c4fd
ModiLoader
47d694226b7f034e868ded9f3ebc12b1afbf9bbccb791f4a98c61955f10efa19
ModiLoader
6b821b358a92094bf1218d5a455e7205efeda83a4b4247d010a86b77e284ee75
ModiLoader
72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a
ModiLoader
855eaf42f771f65f72f7457ba7eb8e4f5ab99b7bc43fbb2fa1528820c2e01200
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
bbadca576aa54abfd18784a5cdb2e100530ae50092d5c240e08b5c0afa5c66b4
ModiLoader
bd86ba6f082dfd404bc2f3544f5b39ce04084742b334ab00a80f0c12c94daa46
ModiLoader
ce30dea0b1d4fa181753600eb63c1d2f1a7de1bd848dcdbe196f6a35afef0ea9
ModiLoader
e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e
ModiLoader
+ 341 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201016-paze14b49s/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
fff782830f323f49473402aac087bea89fa319afd0fe504476c9e8b038f9fce8
MD5 hash:
453044cd27142581835d24c31905ab10
SHA1 hash:
82e53802758d48321c9cf737b83547ae19b93286
Link:
https://www.unpac.me/results/01fc5280-2027-4a09-b17a-d6f668763fb6/
SH256 hash:
cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529
MD5 hash:
afdf2f3253c6d08b717e7b9e99033e11
SHA1 hash:
d2c744bc486d13d8a7f4fcf86109e864ad19e0f7
Link:
https://www.unpac.me/results/01fc5280-2027-4a09-b17a-d6f668763fb6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 6b0464d4a5b52164034626ba76f7f7b1f88a37365a563279b87c9a2e5d96e61c

ModiLoader

Executable exe cb8095a08ad64a6811cfb011db6f7bc97f21e459ca65382251bec95cfd1d9529

(this sample)

  
Dropped by
MD5 8a7cd11668f8be1a665414bfac3c7ae2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71893/
  
Dropped by
SHA256 6b0464d4a5b52164034626ba76f7f7b1f88a37365a563279b87c9a2e5d96e61c

Comments