MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbd2e25b07548e1c67e0538dab8d0e574bff1b3815d0757916f770ae5110cce8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbd2e25b07548e1c67e0538dab8d0e574bff1b3815d0757916f770ae5110cce8
SHA3-384 hash: f9008f9970b164c9ee5edb126611469b8a4c803f9073bc85a7b88d2dbfe055e91fa40c02b502347f276090bfe346cb75
SHA1 hash: 2d2973b3999de6219041faf099d1489ac03a3cd8
MD5 hash: a95cf124c5254132b3916a6060daa1ba
humanhash: idaho-chicken-hot-harry
File name:a95cf124c5254132b3916a6060daa1ba.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'024'312 bytes
First seen:2020-11-11 16:22:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29bafab125b24273c16685612addbb04 (6 x ModiLoader, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:WsY0CUNIjFsYrD1XHd9F2/VCRJinuqUNw/LRrB9VGo+8bD2E3xtLPZVOE4MR2b8U:W5xU+rD1XH6zrB9pdhJZaWiXEWD
Threatray 1'372 similar samples on MalwareBazaar
TLSH 54258D62B2919933F13ADA38DC3797B76936FE102D2899472BF46D0C5F396813825393
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Changing a file
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/531459
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 314829 Sample: qelMUH5CPF.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 42 agentpapple.ac.ug 2->42 44 taenaia.ac.ug 2->44 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Remcos RAT 2->58 60 4 other signatures 2->60 9 qelMUH5CPF.exe 2 24 2->9         started        14 Ijindrv.exe 22 2->14         started        16 Ijindrv.exe 21 2->16         started        signatures3 process4 dnsIp5 50 cdn.discordapp.com 162.159.134.233, 443, 49713, 49755 CLOUDFLARENETUS United States 9->50 52 192.168.2.1 unknown unknown 9->52 40 C:\Users\user\AppData\Local\...\Ijindrv.exe, PE32 9->40 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Creates a thread in another existing process (thread injection) 9->66 18 notepad.exe 4 9->18         started        21 ieinstal.exe 1 9->21         started        68 Multi AV Scanner detection for dropped file 14->68 70 Injects a PE file into a foreign processes 14->70 24 ieinstal.exe 14->24         started        26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\Public38atso.bat, ASCII 18->38 dropped 28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        46 agentpapple.ac.ug 21->46 48 taenaia.ac.ug 185.140.53.149, 49727, 49728, 49733 DAVID_CRAIGGG Sweden 21->48 file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbd2e25b07548e1c67e0538dab8d0e574bff1b3815d0757916f770ae5110cce8/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 19:54:37 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpjoewyhkshbyz7akog2xdiok5f76gzycxihk6iw65yk4uiqztua._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a7a9452a191d8f5777dfe22e71f043968d48fd013f158de638fbc6f32fe9999
ModiLoader
2f0ce341108a0d177092a8e18ca880b966f96a397f23c5135cfd9c6588b0c8c1
ModiLoader
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ModiLoader
6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586
ModiLoader
7ff052b87f0dd31a5426fa0a03cc6618ecc6bc5b1b7cfeab12ee1adf5dbffd41
ModiLoader
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
ModiLoader
f158368c489837c721cb01f7bf86f18536f9948f35f2ced67827d638b8253f16
ModiLoader
f3453d83f263aa7665cb7398e7216db55cb8d7d75b8d45cdaf889c9265ba72fb
ModiLoader
f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334
ModiLoader
fdeab1bddd43965a3ec2ed0a6001bc926a7f995bffc549b64379324374beac4b
ModiLoader
+ 1'362 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/201111-3xvgvy2tva/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
cbd2e25b07548e1c67e0538dab8d0e574bff1b3815d0757916f770ae5110cce8
MD5 hash:
a95cf124c5254132b3916a6060daa1ba
SHA1 hash:
2d2973b3999de6219041faf099d1489ac03a3cd8
Link:
https://www.unpac.me/results/591c949e-851d-47ac-9ab1-e05755fbcb6e/
SH256 hash:
08a57229329e965564eaf89e3caae405eba255d30a36f7cb5daefd7a8380fc07
MD5 hash:
cefe27c5b33b13d9817a1aeeac3986f4
SHA1 hash:
24797bed631c78dcc26007e57da7b76f2818442e
Link:
https://www.unpac.me/results/591c949e-851d-47ac-9ab1-e05755fbcb6e/
SH256 hash:
57eeaca420092fa2dc490ff21036ed385ee3720b1662de45621a63d032a26e28
MD5 hash:
14ab060dda205cb17ac8566e9df873d4
SHA1 hash:
aba03d98ebf7fd39f66e14795323222369d9e7a9
Link:
https://www.unpac.me/results/591c949e-851d-47ac-9ab1-e05755fbcb6e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe cbd2e25b07548e1c67e0538dab8d0e574bff1b3815d0757916f770ae5110cce8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/447391/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/686530/
  
URLhaus
https://urlhaus.abuse.ch/url/748738/
  
URLhaus
https://urlhaus.abuse.ch/url/572760/
  
URLhaus
https://urlhaus.abuse.ch/url/572754/

Comments