MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566
SHA3-384 hash: 1556e84806573bf20cf5334f4aeef2e047e2e9c423786ae59959a25244aa42cb0bd0606cc4a7abfd554468c59e2f7a32
SHA1 hash: fd8b3acfa2cca5c006d3196e3b834c27b75728d8
MD5 hash: 022633585f48d1b513ffb7696fd6973a
humanhash: steak-high-november-missouri
File name:Nzulmlu_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'037'976 bytes
First seen:2020-10-13 17:43:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c242d5261d9662dc5ba58d8e22ce5eb1 (11 x ModiLoader, 1 x Loki, 1 x RemcosRAT)
ssdeep 24576:Bjo1Kn74XfBU8Rup5qmz5zd9QkuoNcAOQ9GeUH1mn:B0s70fBUdLqM5ck7NcR7W
Threatray 845 similar samples on MalwareBazaar
TLSH 0C25AFF2F2914437D1371A788C1BA3B9693A7E132E2CA886ABF41D4C5F356417C39297
Reporter abuse_ch
Tags:exe ModiLoader UPS


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: pensive-goldstine.52-177-9-70.plesk.page
Sending IP: 52.177.9.70
From: "UPS Customer Service" <customer@ups.com>
Subject: UPS - Pending delivery
Attachment: ups_attachment.iso (contains "Nzulmlu_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70564/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/490121
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297505 Sample: Nzulmlu_Signed_.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 7 other signatures 2->56 8 Nzulmlu_Signed_.exe 1 15 2->8         started        13 Nzuldrv.exe 13 2->13         started        15 Nzuldrv.exe 13 2->15         started        process3 dnsIp4 42 discord.com 162.159.135.232, 443, 49730, 49731 CLOUDFLARENETUS United States 8->42 44 cdn.discordapp.com 162.159.135.233, 443, 49732, 49753 CLOUDFLARENETUS United States 8->44 40 C:\Users\user\AppData\Local\...40zuldrv.exe, PE32 8->40 dropped 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Creates a thread in another existing process (thread injection) 8->62 64 Injects a PE file into a foreign processes 8->64 17 notepad.exe 4 8->17         started        20 ieinstal.exe 8->20         started        46 162.159.130.233, 443, 49749 CLOUDFLARENETUS United States 13->46 48 162.159.136.232, 443, 49747, 49748 CLOUDFLARENETUS United States 13->48 66 Antivirus detection for dropped file 13->66 68 Multi AV Scanner detection for dropped file 13->68 22 ieinstal.exe 13->22         started        24 ieinstal.exe 15->24         started        file5 signatures6 process7 file8 38 C:\Users\Public38atso.bat, ASCII 17->38 dropped 26 cmd.exe 1 17->26         started        28 cmd.exe 1 17->28         started        30 WerFault.exe 20 7 20->30         started        process9 process10 32 conhost.exe 26->32         started        34 reg.exe 1 1 26->34         started        36 conhost.exe 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566/
Threat name:
Win32.Hacktool.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 14:45:57 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhuxmyrjkyyu4e6p7h6op2bjuj4coikn3t6udtgth7cpvssfwvta._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
003aa42b38825ff5afd6bc9f288ce23c4b6a654b17865eea5cddabb5d5ca332e
ModiLoader
509cc1160a4457f7919bb870d59f8e16c311757780172b72b29d506fdd54eeda
ModiLoader
5cc6ce7f61d7f88aecd12284a5801e55ee4e000121eb9a85f2b5db16c8735a50
ModiLoader
7f53893a9ce40e497ef34ecfc9c4f493b9d5dd7f989b60ffa248cbf289a1505a
ModiLoader
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
ModiLoader
929aed244ea7ad68ca44b6274a388dcc772b9d4bc6f4e2cb4370555ecc292c80
ModiLoader
b1e43124a401714ce72691a059cfaf3182e0e63986ab8e165d8333bf11540568
ModiLoader
c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
ModiLoader
dc1c1c501965a46f02d345785cd1ec1f9bdb74f2defe3402c9e2b4a6f0959b8a
ModiLoader
dd4198b0a2a1c500bed498963e966d3476b778e1b917434847abb81c987fba55
ModiLoader
+ 835 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201013-nsh9v1tpzn/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
99ea940694fcebc8ab69dc86f5f2445b46149fa96d0840eda38184f09b908940
MD5 hash:
5914b8a91f6bad0e3a3a5a50c9737793
SHA1 hash:
68cca0c5b828930444206139fdccca65205305aa
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/e7781bfe-ceb8-4528-875d-af38d4cdeb1d/
SH256 hash:
29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566
MD5 hash:
022633585f48d1b513ffb7696fd6973a
SHA1 hash:
fd8b3acfa2cca5c006d3196e3b834c27b75728d8
Link:
https://www.unpac.me/results/e7781bfe-ceb8-4528-875d-af38d4cdeb1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 88207a32009ece885449dc402d5a82666bcd7cf5909f39d4da7fa969a91b8c65

ModiLoader

Executable exe 29e976622956314e13cff9fce7e829a27827214ddcfd41ccd33fc4faca45b566

(this sample)

  
Dropped by
MD5 c484cd40ba4100f9e28328b4e54c9218
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70564/
  
Dropped by
SHA256 88207a32009ece885449dc402d5a82666bcd7cf5909f39d4da7fa969a91b8c65

Comments