MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b
SHA3-384 hash:	60e0661ab8b8ac6fa7ba3a17a83ff14d90ccb15680a812b1c950c07f991ed2a08ce7912000aea18ffc7cbb36f57aa3cd
SHA1 hash:	90dbd81a477bedf86d2eb96fbbf274bacf606f7f
MD5 hash:	1a328017740757e16cb7ac98df27e043
humanhash:	yankee-alabama-yankee-saturn
File name:	1a328017740757e16cb7ac98df27e043.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'025'392 bytes
First seen:	2020-11-19 06:06:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	671d2a432a21606b6b78018cd9c139a1 (1 x ModiLoader)
ssdeep	24576:xa2TJhFr15AbPCragKKTZxUScffBxsqPerMmzZC3N4Sr5RPEwdCkEC3NKbemaF82:xa2lnOPC5nURxsqPerMmzZC3N4Sr5RP5
Threatray	1'328 similar samples on MalwareBazaar
TLSH	4D25AE12B7628C77D1DA0A3DAF4783681426BE72396C55073BEC2E4D0A782412FDDD9B
Reporter	abuse_ch
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Running batch commands

Creating a process with a hidden window

Deleting a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b/

Threat name:

Win32.Downloader.Cordisa

Status:

Malicious

First seen:

2020-11-19 00:27:57 UTC

AV detection:

27 of 28 (96.43%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2qpmjmeo5z7fyhjuzwyx5guyfdyzahmq56ggsgtgyiod7zzpyrfq._file

Verdict:

malicious

Label(s):

remcos

ModiLoader

2f0ce341108a0d177092a8e18ca880b966f96a397f23c5135cfd9c6588b0c8c1

ModiLoader

308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e

ModiLoader

6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586

ModiLoader

7ff052b87f0dd31a5426fa0a03cc6618ecc6bc5b1b7cfeab12ee1adf5dbffd41

ModiLoader

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464

ModiLoader

c10cdf38e26339e4373c7e0a9a119381e703c7b8404ce0ed694fb3aae286d9b9

ModiLoader

f158368c489837c721cb01f7bf86f18536f9948f35f2ced67827d638b8253f16

ModiLoader

f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334

ModiLoader

fdeab1bddd43965a3ec2ed0a6001bc926a7f995bffc549b64379324374beac4b

ModiLoader

+ 1'318 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos persistence rat trojan

Link:

https://tria.ge/reports/201119-gfyxgvdyfj/

Behaviour

Modifies registry key

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

ModiLoader First Stage

ServiceHost packer

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

taenaia.ac.ug:6969
agentpapple.ac.ug:6969

Unpacked files

SH256 hash:

d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b

MD5 hash:

1a328017740757e16cb7ac98df27e043

SHA1 hash:

90dbd81a477bedf86d2eb96fbbf274bacf606f7f

Link:

https://www.unpac.me/results/d8cf3253-31d7-44a8-9212-d85f1ef69215/

SH256 hash:

64b30fb1cb2f39e06418682feefc4761eb503218bbcb9adfa10d8cbd41c47167

MD5 hash:

a7628fac7aeaee7606421f2614eb695b

SHA1 hash:

f50ed7c32fa5ca75c3c447fce2ce1da22677021c

Link:

https://www.unpac.me/results/d8cf3253-31d7-44a8-9212-d85f1ef69215/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

exe d41ec4b08eee7e5c1d34cdb17e9a9828f1901d90ef8c691a66c21c3fe72fc44b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/447391/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/686530/

URLhaus

https://urlhaus.abuse.ch/url/748738/

URLhaus

https://urlhaus.abuse.ch/url/831921/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Malware Config

Unpacked files

File information

Comments

Login required