MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e
SHA3-384 hash: 1345c135acc804c1afaab55dc511ec78ccb3ec4420243290a03ad3975ad73b2193634d5fab9925ece93a3f5e3b27f45d
SHA1 hash: 51f2ce12096040a1d618adbfa7b4aea04fc4c7b3
MD5 hash: 48d66645d7831bd05d3dcf5701420d1d
humanhash: blue-venus-arkansas-sierra
File name:DHL_541322.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'319'768 bytes
First seen:2020-10-09 09:12:36 UTC
Last seen:2020-10-09 10:12:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d3e89b16ba0d66bb1ffb3848ff742e0 (4 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:vonlgoDygsQFgvMGgxZpjKvtg+7agQNVTIR+Zixf0McyUu3jhpny2L:volgVfZvMhQRxW01nzy8
Threatray 983 similar samples on MalwareBazaar
TLSH 29557E12B281DC36D1E21E39DD1BD2B8D926BE406D27A48737E43F4DBF353513A26292
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: jovial-wilbur.52-162-254-219.plesk.page
Sending IP: 65.52.56.105
From: DHL <support@dhl.com>
Subject: Your AWB Shipment Has Arrived
Attachment: DHL_541322.IMG (contains "DHL_541322.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69515/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486568
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295730 Sample: DHL_541322.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 11 other signatures 2->57 8 Sbkjnek.exe 13 2->8         started        12 DHL_541322.exe 1 15 2->12         started        15 Sbkjnek.exe 13 2->15         started        process3 dnsIp4 43 162.159.129.233, 443, 49752, 49756 CLOUDFLARENETUS United States 8->43 45 162.159.136.232, 443, 49750, 49751 CLOUDFLARENETUS United States 8->45 59 Antivirus detection for dropped file 8->59 61 Multi AV Scanner detection for dropped file 8->61 63 Machine Learning detection for dropped file 8->63 17 ieinstal.exe 8->17         started        47 cdn.discordapp.com 162.159.134.233, 443, 49733 CLOUDFLARENETUS United States 12->47 49 discord.com 162.159.137.232, 443, 49731, 49732 CLOUDFLARENETUS United States 12->49 39 C:\Users\user\AppData\Local\...\Sbkjnek.exe, PE32 12->39 dropped 65 Writes to foreign memory regions 12->65 67 Allocates memory in foreign processes 12->67 69 Creates a thread in another existing process (thread injection) 12->69 19 notepad.exe 4 12->19         started        22 ieinstal.exe 2 3 12->22         started        71 Injects a PE file into a foreign processes 15->71 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 19->37 dropped 27 cmd.exe 1 19->27         started        29 cmd.exe 1 19->29         started        41 boot.awsmppl.com 185.165.153.126, 2266, 49749 DAVID_CRAIGGG Netherlands 22->41 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
dbatloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 20:40:37 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=igbzvjpe24w7ww2uivifrcr3ddudwrogigj6syrw3wwkaut6ga7a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f
ModiLoader
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
ModiLoader
54cdc9b1ede5661104e61f012de44e010500744c2b3003a6ffaff2f3f6eded34
ModiLoader
7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142
ModiLoader
96359e31d13a327a3d1de808c5420193be3691628da4f409d8d5ed14be35b038
ModiLoader
a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8
ModiLoader
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
ModiLoader
c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8
ModiLoader
daca967edea399a394a8fc24d5ee647d95dc6dadd9dd21e2945ae7a742b3aed8
ModiLoader
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
ModiLoader
+ 973 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat family:remcos persistence trojan family:modiloader
Link:
https://tria.ge/reports/201009-xv16ltk87x/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e
MD5 hash:
48d66645d7831bd05d3dcf5701420d1d
SHA1 hash:
51f2ce12096040a1d618adbfa7b4aea04fc4c7b3
Link:
https://www.unpac.me/results/e455619a-9bf5-49ae-8f01-9709a3fa0393/
SH256 hash:
4ef7dcd28ba7b205f5d7d9c1b83244616291628ba03b921da1c23c3d9a78e0d8
MD5 hash:
62feb9fd161b9716117316082a0f4eee
SHA1 hash:
57dbb3f5d75a7e025bc316bb9e454638038a95e1
Detections:
win_dbatloader_g0
Create hunting rule
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/e455619a-9bf5-49ae-8f01-9709a3fa0393/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 0c7d833cc50f7885a88268774eae967c30bcb15b0d1253bace2442ca4d71a755

ModiLoader

Executable exe 41839aa5e4d72dfb5b544550588a3b18e83b45c64193e96236ddaca0527e303e

(this sample)

  
Dropped by
MD5 7ee548470335b554f426074c02f802f2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69515/
  
Dropped by
SHA256 0c7d833cc50f7885a88268774eae967c30bcb15b0d1253bace2442ca4d71a755

Comments