MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b
SHA3-384 hash: e188e2681844ed721062efda6e31ba2ab36cd54cbca9c6f3a878f47fa11a0bf896498187b66a5fdaf36f2123dc15aee3
SHA1 hash: f23f2fd473fef07ea14e1fac53d70972aee365eb
MD5 hash: 14f1003bd8f4dc8e13a5a725b44fa12f
humanhash: alaska-angel-fanta-paris
File name:Xhyyuptltsmccb.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'027'584 bytes
First seen:2022-09-28 16:54:31 UTC
Last seen:2022-09-30 09:32:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d327c770dcde2c326f621c13e64d15a0 (2 x ModiLoader, 1 x FormBook)
ssdeep 24576:Ckb0afaPqkuuvxYe6aUMdXstoXwbPfQ9W8AoqiVNWd:Ck4Ku5YhMVstmsz
Threatray 1'954 similar samples on MalwareBazaar
TLSH T1A725BF537291C537C23F21356E1F92A97B28FE013C249D9936E4FE7C6B3A6607029792
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 74f7e3db9fc5efca (4 x ModiLoader, 2 x Formbook)
Reporter GovCERT_CH
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314457/
Detection(s):
SecuriteInfo.com.Variant.Zusy.438336.24504.4278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Unauthorized injection to a recently created process
Sending an HTTP GET request
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39784/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/63347c68d089a0c15dd299f9/reports/500c28d6-ba32-4061-a610-fae034e3fba2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d68d5878-01d8-44db-91ef-0c180cfe4099
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079438
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 711993 Sample: Xhyyuptltsmccb.exe Startdate: 28/09/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 6 other signatures 2->57 7 Xhyyuptltsmccb.exe 1 21 2->7         started        12 Wccbsoie.exe 16 2->12         started        14 Wccbsoie.exe 16 2->14         started        process3 dnsIp4 37 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49702, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->37 39 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49701, 49705 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->39 45 3 other IPs or domains 7->45 27 C:\Users\Public\Libraries\Wccbsoie.exe, PE32 7->27 dropped 29 C:\Users\...\Wccbsoie.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\Public\Libraries\Wccbsoie, data 7->31 dropped 59 Contains functionality to inject threads in other processes 7->59 61 Injects a PE file into a foreign processes 7->61 16 Xhyyuptltsmccb.exe 2 13 7->16         started        19 MpCmdRun.exe 1 7->19         started        41 onedrive.live.com 12->41 47 2 other IPs or domains 12->47 63 Antivirus detection for dropped file 12->63 65 Multi AV Scanner detection for dropped file 12->65 21 Wccbsoie.exe 12->21         started        43 onedrive.live.com 14->43 49 2 other IPs or domains 14->49 23 Wccbsoie.exe 14->23         started        file5 signatures6 process7 dnsIp8 33 freetogo01.ddns.net 194.5.98.164, 4545, 49707 DANILENKODE Netherlands 16->33 35 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 16->35 25 conhost.exe 19->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 08:43:54 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6n5k5qafxdcj2y3wwe4ms2zcdgzqmaey75onchiuhjeyhuxzdb5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
217bb63194104a743dea34fafc9d8f38c842cde812ec86dfff64b03526bd2d89
ModiLoader
27b4a6f09b24a1f951811105ca5bf9d93074a352a37497374ef12807646ca502
ModiLoader
2929451852384ac9f1b289746f767b752e04ec5d778b9538ac761cb175006948
ModiLoader
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
ModiLoader
454d090924d15eaeca3540419ccae9ce956e2dc1ff71593971e4112b843f237f
ModiLoader
549fe9a927aac026017a15738e4e4f82ec626a4396472eed653095cbe760a79a
ModiLoader
62b02a89307278de7cbdfa300d7ecd8242e2066c4328ab384814662f7a8b3cbb
ModiLoader
dd375fd420befcd2190371c76995bd2a80c1bb39f9941c6c4af1d10aa20c0e9a
ModiLoader
+ 1'944 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:gusta persistence rat trojan
Link:
https://tria.ge/reports/220928-ve4d5sgfa6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
freetogo01.ddns.net:4545
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af331428-44e4-4143-9f81-22c35c04d828
Unpacked files
SH256 hash:
b44efc99aa637abb6b32fe45f0edfdc6e82f5626984d06c6c660690568ca7335
MD5 hash:
659102b565fb5ad1bd6f6cb31212bd86
SHA1 hash:
ec86a329feab1ba5c8e4aef14bad74db022ab5e0
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/163b7a7e-738e-46b0-9725-064cbd359620/
Parent samples :
faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7
6d68db4d0aa5bfc75ed6eb34a3680abb7ee99af0138419324e65749af1ba4b40
1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870
ac5e5935c877d48be14314d53a7154e370426a35168c82cb9ee83b7e98d02f28
f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b
SH256 hash:
f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b
MD5 hash:
14f1003bd8f4dc8e13a5a725b44fa12f
SHA1 hash:
f23f2fd473fef07ea14e1fac53d70972aee365eb
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/163b7a7e-738e-46b0-9725-064cbd359620/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar 60eb563d0fef495c71b8a5d79cf02861a600dfd5903ea2d76bb0ec41a50d5cc0

ModiLoader

Executable exe f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b

(this sample)

  
Dropped by
ModiLoader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314457/
  
Dropped by
SHA256 60eb563d0fef495c71b8a5d79cf02861a600dfd5903ea2d76bb0ec41a50d5cc0
  
Dropped by
MD5 8698ba9cff409abcc582ccf2d0c7bfab

Comments