MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019
SHA3-384 hash: 804ccd9535338bf6fa7e0c66825308ce9b15e8f2f95868fedbb502e15ae819a3672ada1312f5df13ceac15783ebdff49
SHA1 hash: fed23fb1777503137c021d0344417dc7f408f890
MD5 hash: f83419002a5df379139cb19f976fd5cf
humanhash: bravo-timing-six-maine
File name:DHL PARCEL INFORMATION.SCR
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'220'096 bytes
First seen:2020-11-05 09:13:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb7f24d623823df7a34ad95dfb8bfd95 (15 x ModiLoader, 1 x AveMariaRAT, 1 x Loki)
ssdeep 24576:Q0S5Bo6taFaaRKDZAI89d6yzEJR4CpQSMTVHfo:QpjExRbzEJuCpRMT
Threatray 557 similar samples on MalwareBazaar
TLSH 89455B72F640D431E42229755D1BC6FCA43ABDB02D24940A7BE9EF5C2E362D3B936247
Reporter abuse_ch
Tags:DHL ModiLoader scr


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: vepo.donoralpha.com
Sending IP: 111.118.214.86
From: Express-dhl <express@dhl.com>
Reply-To: dhlexprexx@protonmail.com
Subject: DHL Express service
Attachment: DHL PARCEL INFORMATION.zip (contains "DHL PARCEL INFORMATION.SCR")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83131/
Detection(s):
SecuriteInfo.com.Fareit-FZO82C53D0CF1F4.16975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Connection attempt
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
AveMaria ModiLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521124
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected ModiLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309660 Sample: DHL PARCEL  INFORMATION.SCR Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected ModiLoader 2->50 52 6 other signatures 2->52 8 DHL PARCEL  INFORMATION.exe 1 16 2->8         started        13 Dnxodrv.exe 14 2->13         started        15 Dnxodrv.exe 13 2->15         started        process3 dnsIp4 44 cdn.discordapp.com 162.159.130.233, 443, 49733, 49760 CLOUDFLARENETUS United States 8->44 40 C:\Users\user\AppData\Local\...\Dnxodrv.exe, PE32 8->40 dropped 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Creates a thread in another existing process (thread injection) 8->62 17 ieinstal.exe 3 2 8->17         started        21 notepad.exe 4 8->21         started        64 Multi AV Scanner detection for dropped file 13->64 66 Injects a PE file into a foreign processes 13->66 24 ieinstal.exe 1 13->24         started        26 ieinstal.exe 1 15->26         started        file5 signatures6 process7 dnsIp8 42 172.94.44.202, 6606 AS40676US United States 17->42 54 Increases the number of concurrent connection per server for Internet Explorer 17->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->56 38 C:\Users\Public38atso.bat, ASCII 21->38 dropped 28 cmd.exe 1 21->28         started        30 cmd.exe 1 21->30         started        file9 signatures10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 23:35:44 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=juzc5tdpzquq35ok24udty4ymluexzrjw7ply4khj5lwbzcdaamq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
2484a97154537eeae2439a2f4e5a9191d07b5b342446c6949d7b23318edc3f35
ModiLoader
379157b82516cae86d4fdf3d53accc14f42c537429753c7c8f865ac651292c67
ModiLoader
6534a7953482135c6b462c90fb9d33dcf7ed9094fd42704266debab1cc775524
ModiLoader
6dbd3f42bf990db55372e1e01a3ddb4dbbdf3051fa01492bca882dbc023bb71a
ModiLoader
7406e77d7cbbc5344697900906c5a5930330dcdfba382b22181b41494ace670e
ModiLoader
8eb47be229e6a2bf70d2a46deb714c60ce6d60e335d45fced78879798fa811c9
ModiLoader
a2158f5ab307d2418f9653ea6bfd8914fe390a99137ee96191266c01ba93977a
ModiLoader
a21a0d414080476ea51f99a3d207c12e1e9b15646b39338e989ed817a91429f6
ModiLoader
aae06c61ea30fd920db8caa7e32eefe1b74842affe3fa6d53ce6765f49783ed5
ModiLoader
fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04
ModiLoader
+ 547 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/201105-ns89byylq6/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019
MD5 hash:
f83419002a5df379139cb19f976fd5cf
SHA1 hash:
fed23fb1777503137c021d0344417dc7f408f890
Link:
https://www.unpac.me/results/49e24d41-7052-4a3b-a448-784fde76aa1c/
SH256 hash:
5f024670eb7a3bc4db9275b056aae0ecc88b896bfd0142ce2a27fe3d33106670
MD5 hash:
78ea5cb15bc928c1886043baa35930a7
SHA1 hash:
3dbd8b412cf6841b541a2cc24d123de9f7988e69
Link:
https://www.unpac.me/results/49e24d41-7052-4a3b-a448-784fde76aa1c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 5adcf46e12caa054b87db64183e494df6e9f518d3da1f91c879fdc50469ddcc5

ModiLoader

Executable exe 4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019

(this sample)

  
Dropped by
MD5 4eda4b66865712828ee615c15619c861
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83131/
  
Dropped by
SHA256 5adcf46e12caa054b87db64183e494df6e9f518d3da1f91c879fdc50469ddcc5

Comments