MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e3517475ceabbcbd5ce21c969b50e71a8b45bf052dc1e3812dafb203dc656ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e3517475ceabbcbd5ce21c969b50e71a8b45bf052dc1e3812dafb203dc656ec
SHA3-384 hash: 55d07f83c0a23a67a2e4fc0e4a3c3bbfcc050c475fee13b11cf3ba6e76bb33001a763937dab7931a70176a1a08231db3
SHA1 hash: 26db798ebfbb1faf4e83f77fb1ce6ccbfa025f36
MD5 hash: 24a3abda1343f46df2b7a21eef297ccb
humanhash: pasta-friend-carbon-gee
File name:DHL_857577.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:844'440 bytes
First seen:2020-10-10 07:05:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d9f9200b1ff02857baaae4522e9e47f (5 x ModiLoader)
ssdeep 12288:/uDiCtaeLlIPFPqqDgNYN5u/g7GWDftVHa0F8Gq8wjVDsX3erB9p6:mGCblI9PqqDCYN5BaWT7dwJDu
Threatray 4 similar samples on MalwareBazaar
TLSH A1058D32E2915437C1272A749C1B9765AB36FF102E38AC466BF42D5C5FF9790383A1A3
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: jovial-wilbur.52-162-254-219.plesk.page
Sending IP: 65.52.54.79
From: DHL <support@dhl.com>
Subject: Your AWB Shipment Has Arrived
Attachment: DHL_857577.IMG (contains "DHL_857577.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69716/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/487442
Signature
A
b
c
d
e
f
i
l
M
n
o
r
S
t
u
V
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e3517475ceabbcbd5ce21c969b50e71a8b45bf052dc1e3812dafb203dc656ec/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 04:16:34 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=by2ror245k54xvooehewtniooguliw7qklob4oas3l5sapogk3wa._file
Verdict:
unknown
Similar samples:
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
ModiLoader
2c0a2e71344b74e4770aa58904678a80df6cadb47418ee24a9401db13e96b53f
ModiLoader
5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
ModiLoader
9ad8092ae1c55539b8e04822282bbc6a8c970b888664a0fd512ac2853736ff61
ModiLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
trojan family:modiloader
Link:
https://tria.ge/reports/201010-h3e4j2yq8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
0e3517475ceabbcbd5ce21c969b50e71a8b45bf052dc1e3812dafb203dc656ec
MD5 hash:
24a3abda1343f46df2b7a21eef297ccb
SHA1 hash:
26db798ebfbb1faf4e83f77fb1ce6ccbfa025f36
Link:
https://www.unpac.me/results/84703cfc-e537-4e21-8b83-2b9d5368e0d2/
SH256 hash:
77e82a96526f9ec7716762f61f21375db94fe4a244c109d53b0aac6d538d2a93
MD5 hash:
8ad4806e993cb2a0ebdc2b4b65564d28
SHA1 hash:
e158e5c4f626c4a270251e82a6caf33c821fb728
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/84703cfc-e537-4e21-8b83-2b9d5368e0d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e3517475ceabbcbd5ce21c969b50e71a8b45bf052dc1e3812dafb203dc656ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 6af864698c82f89b1132ccc136736d1735da4b38ee0e67a2150cc0c6d89ef8a8

ModiLoader

Executable exe 0e3517475ceabbcbd5ce21c969b50e71a8b45bf052dc1e3812dafb203dc656ec

(this sample)

  
Dropped by
MD5 c6e54b4b136b24ea4567628f7f34c833
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69716/
  
Dropped by
SHA256 6af864698c82f89b1132ccc136736d1735da4b38ee0e67a2150cc0c6d89ef8a8

Comments