MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3
SHA3-384 hash: e694692107f29b42234d9711a9313a2729ee8ffbac6a829e9b2d5f946d7563d15212bb56b87657b2d8655514b1019bd6
SHA1 hash: d46fc81cd74474df1bf74de87de80247ec7f4699
MD5 hash: 39cf663371b24c2c88d39a47a2aed897
humanhash: steak-football-lion-six
File name:image2021042GFREDS12322ERDQ1DOC03027382DOC202205.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'023'488 bytes
First seen:2022-11-07 23:17:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b47ec091df0d8f01946a02b8629932fe (3 x ModiLoader, 1 x Formbook)
ssdeep 24576:tsa4byzdWezM7KabcI16UKb8SDxOTeCYSfI5b2sJxHJHtuSCg/c3kCv/oMw2n+OL:tZeR16UXdAoMMMMMMMMMMMMMMMMMS
Threatray 2'172 similar samples on MalwareBazaar
TLSH T18C25CF536281243BE1620E34DA16E736687FBF34297C98422AF07D5D7FFA6923D19183
TrID 22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
20.6% (.SCR) Windows screen saver (13097/50/3)
16.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1232c8acecd0c4c4 (7 x ModiLoader, 1 x RemcosRAT, 1 x Formbook)
Reporter GovCERT_CH
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
image2021042GFREDS12322ERDQ1DOC03027382DOC202205.exe
Verdict:
Malicious activity
Analysis date:
2022-11-07 23:20:00 UTC
Tags:
remcos
Link:
https://app.any.run/tasks/bb4deb04-0781-42a4-b0ef-a4d35c63c82d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/330267/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13488.24383.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/49887/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger packed remcos
Link:
https://www.filescan.io/uploads/6369922b5a33779d69ce871e/reports/2de9dfba-e622-47f8-97d5-66068ff432b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a10b41d8-50eb-416d-81b2-7cb2137ad058
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107809
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 02:35:42 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3j6opexkld7ewcjaxz4egxke73zo6ebfz6wivoyliouypdjgy3bq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
2929451852384ac9f1b289746f767b752e04ec5d778b9538ac761cb175006948
ModiLoader
41dbd50dec8697c71e8feea9912873500ae7061955e1331ac9e657041b7b57f8
ModiLoader
45c02c7b7bcf92f477c2d62d4f65090f79cf0fc6e9ae3a0a8d1f9523613e6b9d
ModiLoader
48d97367a91454e04e0161675bc323aaea552ef9335c57090e0d471d3d28c97e
ModiLoader
8043ea1eec1337542f54a3da01248f048588f43c2f5a434d425775dbb3ddd6b3
ModiLoader
b4c8a357a3699844596921ab6283c51f95ef326251b1e688d883128bdfee8420
ModiLoader
d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb
ModiLoader
d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375
ModiLoader
da94505a95c11c751468743c7eb6cef882f99c6c5ad4ca0b24b4c3e36d0ea11c
ModiLoader
fd9c78c0994c085516b97c91de39ffe88b7111ac2f040f826e53c6c9f72ffce7
ModiLoader
+ 2'162 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:back-up-domain persistence rat trojan
Link:
https://tria.ge/reports/221107-299b7secb3/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Blocklisted process makes network request
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
www.arkern-tr.com:2404
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9bbce99-c3c4-462d-a0da-b3ea39ff501a
Unpacked files
SH256 hash:
3f17ebba5a2529b8794c6e86f2b124eacc332692ccdb8acfc6ebf8829c5889e7
MD5 hash:
990016aba0656d25f84a329e5a48c50b
SHA1 hash:
f13ea53aaa58d65bd696da99836dd5473f290536
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/dcb23181-8943-4b82-9c8b-3ba54bb51c5e/
Parent samples :
de8962c07eba5fdd819df024cf7a88ccbec0084913e782182dc0392338f0243e
a35981f164ad40d52d9c1f665d0cd9506abcefec984fd00ec21a7a83aeb25024
483919bfc0da6d92481d70ca620e1ee0aebb3d81931d88a894ac32328e8808e8
cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8
25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76
3a61c9b0b4096cef95698ca41594941955d36e857c7b42f8d84962272f850115
4cf4313d499e9400a60a0961344e6df29acc85e6d62e18c118bef1493f801e53
f36b68e818ef0e90919221028f143fe314f463f418f550c707e1ca5fc632ad9c
f90adf7f130b1deacd0b940e101f471efeb9c670e848cd2a7e77152db0455298
580f58b0bcc5fdd1b9e1237ec9d6a58b3de0f532d92b0ef49314bcc05442272a
0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0
6d22199bcb9c6a15a14e129c4c30ad4aa19148a9b1aac32531d1dfa19a40f671
2bfbbbf3105253503802f18a048d3b36954efeb97ecb9ab9556dffa98bfb832a
e9ca640bda7dd97f7d0c9d1b810a7704144cfba14ec0271ead9e8dd6636c89d0
3f2a62eed0aff1007bac6177aed82a1722bb6b63b1d49fa87153199cd8e8d5f1
b5b7bca8e148356c32d008301fc0209f003ac123c0d752e685f87a66e81ac64b
b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92
da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3
97672b7a0e6ab5bdc206aecdc117fd9ec7529db666f9c30764fa0d4e31fa48bb
3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b
e56fd483ef8e5da7ce843288c45d4af517bf868c18ddeba08da40814b8b0a60e
754025dc4effece12c7c7b3041d2f22050b442251ef1f25dc425f685a277e0e6
1d160af25e96ec1d33d50216a3eafdc16a1df90a6c62929e25f626dae138015b
f6ddc63173d134db79db880c7f5b338987f31ddd36cfcb27cf15e3bb08a507bb
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
63419dd22896ba6ddb1710fd35ae0b64506c8a80c62b59ba33979d375737c2ca
22655d19fee46d3578c4425d75f5633cb06b353b7383a300962d46289b6ba24d
7a9c39d98ace102b6fa94aafaa6bd652b17b247da09bee12e84fca6302b08e19
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
0aa8a9d5f174dc2d70924c909f6f1f1336152de536a729931a1acfa2500fb2f5
SH256 hash:
da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3
MD5 hash:
39cf663371b24c2c88d39a47a2aed897
SHA1 hash:
d46fc81cd74474df1bf74de87de80247ec7f4699
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/dcb23181-8943-4b82-9c8b-3ba54bb51c5e/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da7ce792ea58/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3

(this sample)

  
Dropped by
ModiLoader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/330267/

Comments