MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd
SHA3-384 hash: dd3e85054ffdeaeb5d4ad3da7e199c7838506a2b2ca3aaa8e184b869a71faa90cc96793ba87ae63b60c7d117699d2bb8
SHA1 hash: 2872acdc8bd35da70366fd302aae3b7f1622591e
MD5 hash: b910508f0f4f13119ca36d5b557ac22c
humanhash: avocado-orange-alpha-winner
File name:LHRR003805821.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:981'976 bytes
First seen:2020-10-05 13:21:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8dadb07b7d4cd20e1b2cc994c690a7d3 (7 x ModiLoader, 3 x Loki, 1 x Pony)
ssdeep 12288:YB/Z3LDx5poUjzEKGsMDTOVeryD+X1pSlRk1/jYGloIZLIyADyJCC5jdmp65dy3Q:YImI8hXXhb/oHX+e9KUIddHlLQ
Threatray 2'383 similar samples on MalwareBazaar
TLSH EF259E12B292D432D02216749C6BC2ECCD25BFA17D54684B36E93F7F2E362D2741A94F
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mail-out-06.forthnet.gr
Sending IP: 193.92.3.90
From: e-billing.uk1@dhl.com
Subject: Your latest DHL invoice : LHRR003805821
Attachment: LHRR003805821.zip (contains "LHRR003805821.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68247/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481558
Signature
Allocates memory in foreign processes
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293312 Sample: LHRR003805821.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 Sigma detected: Steal Google chrome login data 2->81 83 3 other signatures 2->83 10 LHRR003805821.exe 1 15 2->10         started        process3 dnsIp4 63 cdn.discordapp.com 162.159.129.233, 443, 49724, 49738 CLOUDFLARENETUS United States 10->63 65 discord.com 162.159.137.232, 443, 49721, 49723 CLOUDFLARENETUS United States 10->65 45 C:\Users\user\AppData\Local\...\Qgudnek.exe, PE32 10->45 dropped 101 Writes to foreign memory regions 10->101 103 Allocates memory in foreign processes 10->103 105 Injects a PE file into a foreign processes 10->105 15 ieinstal.exe 10->15         started        file5 signatures6 process7 signatures8 107 Modifies the context of a thread in another process (thread injection) 15->107 109 Maps a DLL or memory area into another process 15->109 111 Sample uses process hollowing technique 15->111 113 Queues an APC in another process (thread injection) 15->113 18 explorer.exe 4 15->18 injected process9 dnsIp10 47 www.rednermarket.com 18->47 49 www.lashedbybuggy.com 18->49 21 help.exe 18 18->21         started        25 Qgudnek.exe 13 18->25         started        28 Qgudnek.exe 13 18->28         started        30 cmd.exe 18->30         started        process11 dnsIp12 41 C:\Users\user\AppData\...\1M2logrv.ini, data 21->41 dropped 43 C:\Users\user\AppData\...\1M2logri.ini, data 21->43 dropped 85 Detected FormBook malware 21->85 87 Tries to steal Mail credentials (via file access) 21->87 89 Tries to harvest and steal browser information (history, passwords, etc) 21->89 99 3 other signatures 21->99 32 cmd.exe 2 21->32         started        51 162.159.135.232, 443, 49736, 49737 CLOUDFLARENETUS United States 25->51 53 discord.com 25->53 55 cdn.discordapp.com 25->55 91 Multi AV Scanner detection for dropped file 25->91 93 Writes to foreign memory regions 25->93 95 Allocates memory in foreign processes 25->95 97 Injects a PE file into a foreign processes 25->97 35 ieinstal.exe 25->35         started        57 192.168.2.1 unknown unknown 28->57 59 discord.com 28->59 61 cdn.discordapp.com 28->61 37 ieinstal.exe 28->37         started        file13 signatures14 process15 signatures16 67 Tries to harvest and steal browser information (history, passwords, etc) 32->67 69 Tries to detect virtualization through RDTSC time measurements 32->69 39 conhost.exe 32->39         started        71 Modifies the context of a thread in another process (thread injection) 35->71 73 Maps a DLL or memory area into another process 35->73 75 Sample uses process hollowing technique 35->75 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 12:33:57 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=arcjol2jo3jbu4d4sr7zg3xik5me6dpoittzlrw4ps4g3gzi5xoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0538ad6e3f92ea13a5a3dadb18e807ce26097bbfd2f473e873a514b6dbbe8f5d
ModiLoader
145880ed94e0db3cab65cb54db4728520f1ac5f95ff2b0dda2650233542dd706
ModiLoader
3e8e7c9ebb8ae4bbb723e1974f176f8cb82ec0fb4e1890ee1f4feed08ae76058
ModiLoader
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
ModiLoader
4bc2794576ebc0396a825e7b5f5fa26303e79972e7a2d68ded5cd68729288107
ModiLoader
b1809788389e6fbab24abc12b306b2cd4d88a59b983b5a469a63d923e572fa6b
ModiLoader
cc02c528f1eccf6891f5c97815c5c97560ca1c92849e35669bf061cb55e6289b
ModiLoader
d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879
ModiLoader
dbdfc4a9100fa08d0bb6ca2879febbc5e0db4eca85168dfefb526b584976efaf
ModiLoader
e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34
ModiLoader
+ 2'373 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan family:modiloader spyware stealer family:formbook
Link:
https://tria.ge/reports/201005-2nakpsacxs/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.lincolnhca.com/cx1/
Unpacked files
SH256 hash:
0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd
MD5 hash:
b910508f0f4f13119ca36d5b557ac22c
SHA1 hash:
2872acdc8bd35da70366fd302aae3b7f1622591e
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/55b520b1-2960-443a-a7a4-5e0fe825d5fc/
SH256 hash:
d0c251d4574720d455f000f2fff6634c9dfdf78c64ba706b6c5d6a95dcac7b01
MD5 hash:
2831d8e59a6471f9d1b46ef447b055b9
SHA1 hash:
6bb221e75200745f5addac6f9e92f3e8c529e4d9
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/55b520b1-2960-443a-a7a4-5e0fe825d5fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip d954dd8aa0582c4f75e8dce834cf88f5e5e8bb3f40b4aa07687dd3b584ce210d

ModiLoader

Executable exe 0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd

(this sample)

  
Dropped by
MD5 89b1d9c77bcfda80747702e5dcee9519
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68247/
  
Dropped by
SHA256 d954dd8aa0582c4f75e8dce834cf88f5e5e8bb3f40b4aa07687dd3b584ce210d

Comments