MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 359fa4b61a9a41f2362a8c09cc7b90067268786b47cf7ccc412c2d8d1bc77904. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 359fa4b61a9a41f2362a8c09cc7b90067268786b47cf7ccc412c2d8d1bc77904
SHA3-384 hash: 3b23ea1cc04b11ffe3ae1b7fe177fa121c21a31489ea564482883f60896f6536955183d5aa09bd03cb9a5b81ea18a5be
SHA1 hash: e9ea532f703045e0a205671cfb867f9e51db3cbc
MD5 hash: 98a0305e55afffa767e2ae0972d6a5fd
humanhash: minnesota-red-delaware-juliet
File name:DHL_889887.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'132'848 bytes
First seen:2020-10-24 06:23:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c69785fe9cbd1d77d7a9bfb5553fbd19 (4 x ModiLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:B8xnrNVGQcigXmng7X+XmYWGQO7lGcRvR+ec0X6Dm9tEx6/nlBweV+8YZqckawUl:AriQciDnQ9YWmRnfxyiBlukE
Threatray 118 similar samples on MalwareBazaar
TLSH E2358D216291CB37D0779AF54C16B77899A5BF00ED247C86F6ACEC485F36EC0782B192
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: jovial-wilbur.52-162-254-219.plesk.page
Sending IP: 52.162.182.115
From: DHL <support@dhl.com>
Subject: Your AWB Shipment Has Arrived
Attachment: DHL_889887.IMG (contains "DHL_889887.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75176/
Detection(s):
SecuriteInfo.com.Fareit-FZO345F40C742FA.17750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508560
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303398 Sample: DHL_889887.exe Startdate: 24/10/2020 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 8 DHL_889887.exe 1 15 2->8         started        13 Ymkadrv.exe 13 2->13         started        15 Ymkadrv.exe 13 2->15         started        process3 dnsIp4 38 cdn.discordapp.com 162.159.129.233, 443, 49741, 49756 CLOUDFLARENETUS United States 8->38 40 discord.com 162.159.138.232, 443, 49740, 49755 CLOUDFLARENETUS United States 8->40 34 C:\Users\user\AppData\Local\...\Ymkadrv.exe, PE32 8->34 dropped 52 Writes to foreign memory regions 8->52 54 Creates a thread in another existing process (thread injection) 8->54 56 Injects a PE file into a foreign processes 8->56 17 ieinstal.exe 2 3 8->17         started        20 notepad.exe 4 8->20         started        58 Multi AV Scanner detection for dropped file 13->58 22 ieinstal.exe 13->22         started        42 162.159.133.233, 443, 49759 CLOUDFLARENETUS United States 15->42 24 ieinstal.exe 15->24         started        file5 signatures6 process7 dnsIp8 36 boot.awsmppl.com 185.165.153.126, 2266, 49754 DAVID_CRAIGGG Netherlands 17->36 26 cmd.exe 1 20->26         started        28 cmd.exe 1 20->28         started        process9 process10 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/359fa4b61a9a41f2362a8c09cc7b90067268786b47cf7ccc412c2d8d1bc77904/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 17:36:29 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwp2jnq2tja7enrkrqe4y64qazzgq6dli7hxztcbfqwy2g6hpeca._file
Verdict:
suspicious
Similar samples:
19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef
ModiLoader
455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201
ModiLoader
4776e02c6cd50638e0cfafc99146fd9296dea093143b7135a4d32e0767673c95
ModiLoader
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
ModiLoader
5efee2d98b3c2ff0a563442a5e16fc1a63c2d20fb6c9ad8bfa3e9a7a0a326524
ModiLoader
7ff052b87f0dd31a5426fa0a03cc6618ecc6bc5b1b7cfeab12ee1adf5dbffd41
ModiLoader
82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b
ModiLoader
8546c35ea3d72e58b06dbcdb3d790fe9d39772ec986a2b89c406daab67efe79b
ModiLoader
9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03
ModiLoader
b6138e4d197c59380c87723cb54c9cf7d5e4600a4273c98723470a57a591edda
ModiLoader
+ 108 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence trojan family:modiloader
Link:
https://tria.ge/reports/201024-rjh6g6cd8e/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
7979ae4a3cce3226df50398ad6b8134ee98c477a7ce5a18b730370b7bf831818
MD5 hash:
3a97b06e7ea20868295cdee73fb5bcc2
SHA1 hash:
05d1bb71572c833872ac4062dc8e9d509ed2d9e0
Link:
https://www.unpac.me/results/2b900be0-16dd-4156-9a95-9b271ba2ae46/
SH256 hash:
359fa4b61a9a41f2362a8c09cc7b90067268786b47cf7ccc412c2d8d1bc77904
MD5 hash:
98a0305e55afffa767e2ae0972d6a5fd
SHA1 hash:
e9ea532f703045e0a205671cfb867f9e51db3cbc
Link:
https://www.unpac.me/results/2b900be0-16dd-4156-9a95-9b271ba2ae46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/359fa4b61a9a41f2362a8c09cc7b90067268786b47cf7ccc412c2d8d1bc77904

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img a4fc41792c7f57ed550bb25c64abec59d54fff947987c2455e6068786e786bf0

ModiLoader

Executable exe 359fa4b61a9a41f2362a8c09cc7b90067268786b47cf7ccc412c2d8d1bc77904

(this sample)

  
Dropped by
MD5 e054c0cb4cfd40c54c3ae5fbf9ed48d6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75176/
  
Dropped by
SHA256 a4fc41792c7f57ed550bb25c64abec59d54fff947987c2455e6068786e786bf0

Comments