MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9fc679cd72fd47ecd857ca86fffe2f0bbd1c880d5d5cad8c02ae9082b1239f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9fc679cd72fd47ecd857ca86fffe2f0bbd1c880d5d5cad8c02ae9082b1239f2
SHA3-384 hash: 72e1a9a3ece94ee9b6980aaca96a7de559fec2ef2b8be3ce57e05294296fd267155098ece5d722e0935dbf937db0f78a
SHA1 hash: 3dec33ff0ad5e62fd87049197828c66e8b5d42b8
MD5 hash: 908bff634f743b4a6e6a9a07da4d73b1
humanhash: paris-california-december-wolfram
File name:Purchase Order_Request for QUOTE Specs.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'009'664 bytes
First seen:2022-07-26 13:21:27 UTC
Last seen:2022-07-26 19:53:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 205f6434858f3f8cc9e8b96d094507a2 (8 x DBatLoader, 4 x ModiLoader, 3 x AveMariaRAT)
ssdeep 24576:5DA1mchKTwkH17WtMBhiUDxvHiMYStUtVSn52pAf2rDNtl2aCHX:5Dhc8ZPbVI5Sn52KN
TLSH T193258D31F6D24433D073277C5D1B8665A92ABE003A78D88A2BED2D8C1FF968179352D7
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon c49af2e8ece0e6dc (8 x DBatLoader, 3 x ModiLoader, 2 x AveMariaRAT)
Reporter James_inthe_box
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294286/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.12280.17299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27489/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/62dfea7ea2f481deb96a5994/reports/6f3769ee-5298-4562-a3d4-dbd2901e886b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2406ebe4-c719-4bbb-bd4d-65ca3e6188c9
Result
Threat name:
AveMaria, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1041073
Signature
Antivirus detection for dropped file
Contains functionality to hide user accounts
Detected unpacking (creates a PE file in dynamic memory)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AveMaria stealer
Yara detected UAC Bypass using ComputerDefaults
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 673567 Sample: Purchase Order_Request for ... Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 40 mosesmanservernew.hopto.org 2->40 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 7 other signatures 2->52 9 Purchase Order_Request for QUOTE Specs.exe 1 21 2->9         started        14 Jgatay.exe 13 2->14         started        16 Jgatay.exe 14 2->16         started        signatures3 process4 dnsIp5 44 morientlines.com 103.11.189.121, 443, 49738, 49739 VODIEN-AS-AP-LOC2VodienInternetSolutionsPteLtdSG Singapore 9->44 34 C:\Users\Public\Libraries\Jgatay.exe, PE32 9->34 dropped 36 C:\Users\Public\Libraries\JgatayO.bat, ASCII 9->36 dropped 38 C:\Users\...\Jgatay.exe:Zone.Identifier, ASCII 9->38 dropped 58 Injects a PE file into a foreign processes 9->58 18 Purchase Order_Request for QUOTE Specs.exe 3 2 9->18         started        22 cmd.exe 1 9->22         started        60 Multi AV Scanner detection for dropped file 14->60 24 Jgatay.exe 1 14->24         started        26 Jgatay.exe 1 16->26         started        file6 signatures7 process8 dnsIp9 42 mosesmanservernew.hopto.org 185.222.57.173, 49743, 49744, 49757 ROOTLAYERNETNL Netherlands 18->42 54 Increases the number of concurrent connection per server for Internet Explorer 18->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->56 28 cmd.exe 1 22->28         started        30 conhost.exe 22->30         started        signatures10 process11 process12 32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9fc679cd72fd47ecd857ca86fffe2f0bbd1c880d5d5cad8c02ae9082b1239f2/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 10:09:58 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h6gphgxf7kh5tmfpsug777c6c55dsea2xk4vwgafluqqkyshhza._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/220726-ql8vzshhbn/
Behaviour
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/c0eb4381-b591-4fcf-89e2-3652bbb6fbe0/
SH256 hash:
f9fc679cd72fd47ecd857ca86fffe2f0bbd1c880d5d5cad8c02ae9082b1239f2
MD5 hash:
908bff634f743b4a6e6a9a07da4d73b1
SHA1 hash:
3dec33ff0ad5e62fd87049197828c66e8b5d42b8
Link:
https://www.unpac.me/results/c0eb4381-b591-4fcf-89e2-3652bbb6fbe0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/294286/

Comments