MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e
SHA3-384 hash: fdb9ef427cb2626de120a61f8ba5f8b789f2f72d8197bb36f65ecad92e76d6ef54b269433f1998bbe17ef11dd039b2a1
SHA1 hash: 9ee11f6821da7ab9b67408e969358cc4ee871ae0
MD5 hash: 693215a0faed56425fafe6a4f0227422
humanhash: arizona-sixteen-indigo-hydrogen
File name:Skyzzsn_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'050'776 bytes
First seen:2020-10-15 17:20:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:9FT7lBs40jT0sUbtpW/nAOPq3Sp58wn7nLT6USE/7LYUx5t8SH1V:9vBsxTEi597nLT6USE/7kUPtF
Threatray 1'067 similar samples on MalwareBazaar
TLSH 5325CF31F3E1CA36F25315318C2B5BB9A532BE002924945A76E63D4DAE367F079392D3
Reporter abuse_ch
Tags:exe ModiLoader UPS


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: hardcore-gould.52-165-237-63.plesk.page
Sending IP: 40.77.27.88
From: "UPS Customer Service" <customer@ups.com>
Subject: UPS - Pending delivery
Attachment: Details_UPS.iso (contains "Skyzzsn_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71548/
Detection(s):
SecuriteInfo.com.Artemis5F81083596A0.8651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492875
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298893 Sample: Skyzzsn_Signed_.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Detected Remcos RAT 2->59 61 9 other signatures 2->61 8 Skyzzsn_Signed_.exe 1 15 2->8         started        13 Skyzdrv.exe 14 2->13         started        15 Skyzdrv.exe 13 2->15         started        process3 dnsIp4 45 cdn.discordapp.com 162.159.129.233, 443, 49721, 49734 CLOUDFLARENETUS United States 8->45 47 discord.com 162.159.137.232, 443, 49719, 49720 CLOUDFLARENETUS United States 8->47 41 C:\Users\user\AppData\Local\...\Skyzdrv.exe, PE32 8->41 dropped 63 Writes to foreign memory regions 8->63 65 Allocates memory in foreign processes 8->65 67 Creates a thread in another existing process (thread injection) 8->67 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 3 8->20         started        49 162.159.128.233, 443, 49732, 49733 CLOUDFLARENETUS United States 13->49 69 Multi AV Scanner detection for dropped file 13->69 71 Injects a PE file into a foreign processes 13->71 23 ieinstal.exe 13->23         started        51 162.159.138.232, 443, 49742, 49743 CLOUDFLARENETUS United States 15->51 53 192.168.2.1 unknown unknown 15->53 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        43 latua.nsupdate.info 79.134.225.85, 49728, 7722 FINK-TELECOM-SERVICESCH Switzerland 20->43 39 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 20->39 dropped file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 17:22:12 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5aeuiwni7phwqssbcgemffejqrkl43nwwphtcgc6grxizvyforha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0561429ee93b0bc545689257b6cda0d43025317f9c890acb219c51d0f6e721e8
ModiLoader
1c517ddebb6f5893d52918c51a70e56f68b50dd65e0460a673cce3625a0f8a2b
ModiLoader
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
ModiLoader
5ef2d70f9e7fa30c9fea637c8b0c60276ca69505640ffb417a27a320575f3807
ModiLoader
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
ModiLoader
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
ModiLoader
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
ModiLoader
daca967edea399a394a8fc24d5ee647d95dc6dadd9dd21e2945ae7a742b3aed8
ModiLoader
dc1c1c501965a46f02d345785cd1ec1f9bdb74f2defe3402c9e2b4a6f0959b8a
ModiLoader
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
ModiLoader
+ 1'057 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader rat family:remcos
Link:
https://tria.ge/reports/201015-6yjt6dmmg6/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ServiceHost packer
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e
MD5 hash:
693215a0faed56425fafe6a4f0227422
SHA1 hash:
9ee11f6821da7ab9b67408e969358cc4ee871ae0
Link:
https://www.unpac.me/results/05ea58e3-ae59-4e5f-b2b6-b976858c7e94/
SH256 hash:
fff782830f323f49473402aac087bea89fa319afd0fe504476c9e8b038f9fce8
MD5 hash:
453044cd27142581835d24c31905ab10
SHA1 hash:
82e53802758d48321c9cf737b83547ae19b93286
Link:
https://www.unpac.me/results/05ea58e3-ae59-4e5f-b2b6-b976858c7e94/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 34dd03bd383aec692c5f4128ca9b5e2be3a0237ac9b6cc319aa54ecd28f13a3a

ModiLoader

Executable exe e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e

(this sample)

  
Dropped by
MD5 0584999a8eabc6c8124f17f18eb0a729
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71548/
  
Dropped by
SHA256 34dd03bd383aec692c5f4128ca9b5e2be3a0237ac9b6cc319aa54ecd28f13a3a

Comments