MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
SHA3-384 hash: 2175d5e236ab4d5d12a57d2a0d5be760f7cd191ab5e168bec69c6d972192bf892f8ac9a81a5d1d5e5cb6275275c56af9
SHA1 hash: 4eec2f446f828e095ad0dd750010804076f048c8
MD5 hash: d1dfe87b30909c49a95cc11950cd562e
humanhash: equal-cardinal-april-equal
File name:Nzuzvvt_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:646'808 bytes
First seen:2020-10-16 17:49:41 UTC
Last seen:2020-10-16 19:23:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash af00c2cd3e1abe86ddbb239e27958d26 (6 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 12288:BEu6Ai+3QzSx++O8AySJxv/EJIy3m8A71UzFvCM2T4F1smtv1mHRm4DhKte1NDGN:F6pexT1YJS8xZzet0mDNr9V
Threatray 984 similar samples on MalwareBazaar
TLSH 03D48F62F2D1C837C373257C8C5B96B49825BD9D2F2568763AE83D8C6F397813429283
Reporter abuse_ch
Tags:exe ModiLoader UPS


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: interesting-sinoussi.40-77-67-34.plesk.page
Sending IP: 52.165.24.254
From: "UPS Customer Service" <customer@ups.com>
Subject: UPS - Pending delivery
Attachment: shipping_Details.iso (contains "Nzuzvvt_Signed_.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72232/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494075
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299494 Sample: Nzuzvvt_Signed_.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 38 cdn.onenote.net 2->38 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 7 other signatures 2->52 9 Nzuzvvt_Signed_.exe 1 15 2->9         started        14 Nzuzdrv.exe 13 2->14         started        16 Nzuzdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 42 cdn.discordapp.com 162.159.133.233, 443, 49731, 49754 CLOUDFLARENETUS United States 9->42 36 C:\Users\user\AppData\Local\...36zuzdrv.exe, PE32 9->36 dropped 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Creates a thread in another existing process (thread injection) 9->58 18 ieinstal.exe 2 3 9->18         started        22 notepad.exe 4 9->22         started        44 192.168.2.1 unknown unknown 14->44 60 Multi AV Scanner detection for dropped file 14->60 62 Injects a PE file into a foreign processes 14->62 24 ieinstal.exe 14->24         started        file6 signatures7 process8 dnsIp9 40 latua.nsupdate.info 79.134.225.85, 49751, 7722 FINK-TELECOM-SERVICESCH Switzerland 18->40 34 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 18->34 dropped 26 cmd.exe 1 22->26         started        28 cmd.exe 1 22->28         started        file10 process11 process12 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 15:10:29 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27dcyfjgyopbg224pjydzexml6fgpsmhu5au4df3crixezy2ekjq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2c1ae85bbe2ff52172aba947420e1a9bd98f7ac31671dee3cf9db19b14d21999
ModiLoader
3569d46f24fc262031aad2932c38bf1347420472f197628c622a45e6b061ca76
ModiLoader
4096056536154e1fa5a10e3495cd3ddadf7c01022b7b65b0c35a67b2eac2bc6b
ModiLoader
52360edd07bcd18738ccc44906897ece6c659883978d6ed61bd1e73dca205bd4
ModiLoader
5c9667b60610ff2eeb6b26096b7ac951ed3d59fc716a6b8aa1c94c38658b0db7
ModiLoader
738ea925d9f26dc03c18efd41de5e310285a36eef0147e7767a25dcf3fb1b24d
ModiLoader
929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80
ModiLoader
dfa62653c2606c14be6b244fdc19c07c2d31fe4553f2cebba08c972e92f27434
ModiLoader
eee72be9b19c5e0fa5fd1b5404798a7ccd5b73830249562f9465583004980a18
ModiLoader
f412da03defe68cc6e1f264449adf519a4c5470c51e7b502854f7fbf358f8516
ModiLoader
+ 974 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201016-vvtdx923hx/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293
MD5 hash:
d1dfe87b30909c49a95cc11950cd562e
SHA1 hash:
4eec2f446f828e095ad0dd750010804076f048c8
Link:
https://www.unpac.me/results/8066df06-d4ea-44da-aa23-b7fad9959e38/
SH256 hash:
437a782a11e8ace2a144a4fd5c8a4a6f4e0d3a44a97c2d8655eb9126d7015632
MD5 hash:
f3305b17decb1c3b08af242aabeff8c9
SHA1 hash:
2a4aa8ca728b5d5e6fdfeafd3feb0f2bb90d7a9a
Link:
https://www.unpac.me/results/8066df06-d4ea-44da-aa23-b7fad9959e38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso dcdb02a6d125054173789a825d2e1cca0645be46b9043ca8ea733ac7e0e4c928

ModiLoader

Executable exe d7c62c1526c39e136b5c7a703c92ec5f8a67c987a7414e0cbb145172671a2293

(this sample)

  
Dropped by
MD5 3ea40c76cdabc202868f8e2a225f4c66
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dcdb02a6d125054173789a825d2e1cca0645be46b9043ca8ea733ac7e0e4c928
Cape
Cape
https://www.capesandbox.com/analysis/72232/

Comments