MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
SHA3-384 hash: 6c995dba29d60977fe0d2aab802e8cc8d11350d95a63f4fc8072c4d34505e0d3e6e0cec73d057d2b4e433f6ab78531ef
SHA1 hash: 2d2805fadff31b16bc66e4833b1c17ef9140a95b
MD5 hash: 929d7329073f6fd0831dcb87ad512691
humanhash: skylark-quiet-cup-foxtrot
File name:kopija bankovnog placanja - 90000 eura.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:902'144 bytes
First seen:2022-09-15 11:43:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bbd6f19009894fa1ab803b23f677f9e (3 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:xOoNkC1LR7d1g1Iasz4l4yDoCHjsG83q/rhf7fvQB6W:xbpRh1i+4ToT3q/lvk6
TLSH T17215ADF2B2F0DA33C123097ECF6A32569A7D7EA10915744E57D83948DF742C1242DAAB
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13101/52/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter TeamDreier
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
kopija bankovnog placanja - 90000 eura.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 08:14:34 UTC
Tags:
keylogger remcos stealer
Link:
https://app.any.run/tasks/262e7fce-c22e-4925-9749-4b9c8c1a8233

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310219/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.41399.13008.13246.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37694/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/6323105e35180ec88e2cb01f/reports/cef27fae-caae-4d56-b425-0038d9c10a22/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a3df4a5-584c-446f-b1e1-759a959084b5
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070852
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Deletes itself after installation
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703395 Sample: kopija bankovnog placanja -... Startdate: 15/09/2022 Architecture: WINDOWS Score: 100 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for dropped file 2->89 91 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->91 93 6 other signatures 2->93 10 kopija bankovnog placanja - 90000 eura.exe 1 17 2->10         started        15 Gpmlfzao.exe 13 2->15         started        17 java1.exe 14 2->17         started        19 3 other processes 2->19 process3 dnsIp4 67 ph-files.fe.1drv.com 10->67 73 2 other IPs or domains 10->73 57 C:\Users\Public\Librariesbehaviorgraphpmlfzao.exe, PE32 10->57 dropped 59 C:\Users\...behaviorgraphpmlfzao.exe:Zone.Identifier, ASCII 10->59 dropped 61 C:\Users\Public\Librariesbehaviorgraphpmlfzao, data 10->61 dropped 105 Creates multiple autostart registry keys 10->105 107 Injects a PE file into a foreign processes 10->107 21 kopija bankovnog placanja - 90000 eura.exe 5 5 10->21         started        69 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49719, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->69 71 192.168.2.1 unknown unknown 15->71 75 3 other IPs or domains 15->75 109 Multi AV Scanner detection for dropped file 15->109 111 Machine Learning detection for dropped file 15->111 24 Gpmlfzao.exe 15->24         started        77 3 other IPs or domains 17->77 28 java1.exe 17->28         started        79 9 other IPs or domains 19->79 30 java1.exe 19->30         started        32 Gpmlfzao.exe 19->32         started        34 java1.exe 19->34         started        file5 signatures6 process7 dnsIp8 51 C:\java1\java1.exe, PE32 21->51 dropped 53 C:\java1\java1.exe:Zone.Identifier, ASCII 21->53 dropped 55 C:\Users\user\AppData\Local\...\install.vbs, data 21->55 dropped 36 wscript.exe 1 21->36         started        63 newehmpage.webredirect.org 45.83.129.166, 49750, 5564 GLOBALROUTEUS Netherlands 24->63 65 geoplugin.net 178.237.33.50, 49752, 80 ATOM86-ASATOM86NL Netherlands 24->65 97 Creates multiple autostart registry keys 24->97 99 Writes to foreign memory regions 24->99 101 Maps a DLL or memory area into another process 24->101 103 Installs a global keyboard hook 24->103 39 svchost.exe 24->39         started        file9 signatures10 process11 signatures12 95 Deletes itself after installation 36->95 41 cmd.exe 1 36->41         started        process13 process14 43 java1.exe 13 41->43         started        47 conhost.exe 41->47         started        dnsIp15 81 ph-files.fe.1drv.com 43->81 83 onedrive.live.com 43->83 85 55zx5q.ph.files.1drv.com 43->85 113 Multi AV Scanner detection for dropped file 43->113 115 Machine Learning detection for dropped file 43->115 117 Injects a PE file into a foreign processes 43->117 49 java1.exe 43->49         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 06:13:24 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6p7k7ayeitggpbvw2tqgxvfcv33zkgpl4prtncbniebgrw4wfewa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220915-nv6e4sche8/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
newehmpage.webredirect.org:5564
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/baa84733-c84e-487d-82d8-2a39a396650c
Unpacked files
SH256 hash:
002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc
MD5 hash:
eb295d7d7804e778f9f5ae4783379ccc
SHA1 hash:
d1b9df6113a548dd362fc0cb611c78eef2124f73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/7d18d910-d8df-4a77-b3dd-2e7881100047/
Parent samples :
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SH256 hash:
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
MD5 hash:
929d7329073f6fd0831dcb87ad512691
SHA1 hash:
2d2805fadff31b16bc66e4833b1c17ef9140a95b
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/7d18d910-d8df-4a77-b3dd-2e7881100047/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3feaf830444/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/310219/

Comments