MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca
SHA3-384 hash: 81e8f6827d6dac75d353117a2c354e507460ea322f8265637a3975c604c2ec3b535cace60a9a8db3319d28c1c7ada7cb
SHA1 hash: 9569b5eb572f70eb8b86e79c0eccb6b704000f58
MD5 hash: 82c53d0cf1f407945a3feeb961336a9c
humanhash: november-spaghetti-idaho-earth
File name:82c53d0cf1f407945a3feeb961336a9c.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'241'792 bytes
First seen:2020-11-04 09:23:51 UTC
Last seen:2020-11-04 10:39:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb7f24d623823df7a34ad95dfb8bfd95 (15 x ModiLoader, 1 x AveMariaRAT, 1 x Loki)
ssdeep 24576:g0S5Bo6taFaaRKDZAI89d6yzEJR4KpQSM2VHfoj:gpjExRbzEJuKpRM2E
Threatray 1'199 similar samples on MalwareBazaar
TLSH B4455C72F640D431E42229755D1BC6FCA43ABDB02D24940A7BE9EF5C2E362D3B936247
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82632/
Detection(s):
SecuriteInfo.com.Fareit-FZO82C53D0CF1F4.16975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ModiLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519980
Signature
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected ModiLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309087 Sample: Cj7oBJUYX8.exe Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 42 agentpapple.ac.ug 2->42 44 taenaia.ac.ug 2->44 54 Malicious sample detected (through community Yara rule) 2->54 56 Yara detected ModiLoader 2->56 58 Yara detected Remcos RAT 2->58 60 4 other signatures 2->60 9 Cj7oBJUYX8.exe 1 16 2->9         started        14 Uvzldrv.exe 13 2->14         started        16 Uvzldrv.exe 14 2->16         started        signatures3 process4 dnsIp5 50 cdn.discordapp.com 162.159.130.233, 443, 49719, 49758 CLOUDFLARENETUS United States 9->50 40 C:\Users\user\AppData\Local\...\Uvzldrv.exe, PE32 9->40 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Creates a thread in another existing process (thread injection) 9->66 18 notepad.exe 4 9->18         started        21 ieinstal.exe 1 9->21         started        68 Injects a PE file into a foreign processes 14->68 24 ieinstal.exe 14->24         started        52 192.168.2.1 unknown unknown 16->52 26 ieinstal.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 C:\Users\Public38atso.bat, ASCII 18->38 dropped 28 cmd.exe 1 18->28         started        30 cmd.exe 1 18->30         started        46 agentpapple.ac.ug 21->46 48 taenaia.ac.ug 185.140.53.149, 49736, 49741, 49746 DAVID_CRAIGGG Sweden 21->48 file10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 09:25:10 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7bqiupxvck6orw5trcubreewqz3ntguj4eokfav4zbdo2gp5y3fa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0a7a9452a191d8f5777dfe22e71f043968d48fd013f158de638fbc6f32fe9999
ModiLoader
2f0ce341108a0d177092a8e18ca880b966f96a397f23c5135cfd9c6588b0c8c1
ModiLoader
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ModiLoader
6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586
ModiLoader
7ff052b87f0dd31a5426fa0a03cc6618ecc6bc5b1b7cfeab12ee1adf5dbffd41
ModiLoader
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
ModiLoader
f158368c489837c721cb01f7bf86f18536f9948f35f2ced67827d638b8253f16
ModiLoader
f3453d83f263aa7665cb7398e7216db55cb8d7d75b8d45cdaf889c9265ba72fb
ModiLoader
f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334
ModiLoader
fdeab1bddd43965a3ec2ed0a6001bc926a7f995bffc549b64379324374beac4b
ModiLoader
+ 1'189 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/201104-977b374ra2/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca
MD5 hash:
82c53d0cf1f407945a3feeb961336a9c
SHA1 hash:
9569b5eb572f70eb8b86e79c0eccb6b704000f58
Link:
https://www.unpac.me/results/d687d9cf-6179-4399-916c-af37f18ef3aa/
SH256 hash:
5f024670eb7a3bc4db9275b056aae0ecc88b896bfd0142ce2a27fe3d33106670
MD5 hash:
78ea5cb15bc928c1886043baa35930a7
SHA1 hash:
3dbd8b412cf6841b541a2cc24d123de9f7988e69
Link:
https://www.unpac.me/results/d687d9cf-6179-4399-916c-af37f18ef3aa/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/82632/
  
URLhaus
https://urlhaus.abuse.ch/url/572760/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/572754/
  
URLhaus
https://urlhaus.abuse.ch/url/748738/
  
URLhaus
https://urlhaus.abuse.ch/url/447391/
  
URLhaus
https://urlhaus.abuse.ch/url/686530/

Comments