MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
SHA3-384 hash: 2609d7848a2ddf6caac400d3b65bdfa7a2ffb4befe129788701bf7bea0e737ee469db10e091eb74a2272ad4cf41b1afe
SHA1 hash: 306ca2a87ee14d0d98c3aefc2d44d763fcb18904
MD5 hash: 08a52cf16a9045938a367bfe488f1009
humanhash: video-black-wisconsin-mockingbird
File name:Scan_17-08-2020 AFSLC INV#0002932.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:792'937 bytes
First seen:2020-08-17 13:55:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 925501b726051625fb692aeb5906e244 (7 x ModiLoader, 2 x RemcosRAT, 1 x NetWire)
ssdeep 12288:vgAk0EFhcIK4FpC8FkjqwXRZtyjHqXt4ONWe744bmhiSEAlUgBYj:4MCc4FpC8Fkjb0jytrXF0rE
Threatray 437 similar samples on MalwareBazaar
TLSH 21F49EE2E2808437C1332A77DD1B9E9968267F513E28DC466BE41D4C4F3A7D1783A197
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: eeac.ae
Sending IP: 104.129.2.91
From: "SHAKIR PARKAR" <s.finance@eeac.ae>
Subject: CHARTER INVOICES FOR FLIGHT DATE 14-AUG-2020
Attachment: Scan_17-08-2020 AFSLC INV0002932.r00 (contains "Scan_17-08-2020 AFSLC INV#0002932.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47064/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Setting a single autorun event
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/433662
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 269209 Sample: Scan_17-08-2020 AFSLC INV#0... Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected AveMaria stealer 2->45 47 Contains functionality to hide user accounts 2->47 49 6 other signatures 2->49 8 Scan_17-08-2020 AFSLC INV#0002932.exe 1 15 2->8         started        13 Uppnsec.exe 13 2->13         started        15 Uppnsec.exe 13 2->15         started        process3 dnsIp4 35 cdn.discordapp.com 162.159.133.233, 443, 49728, 49744 CLOUDFLARENETUS United States 8->35 37 discord.com 162.159.138.232, 443, 49727, 49743 CLOUDFLARENETUS United States 8->37 31 C:\Users\user\AppData\Local\Uppnsec.exe, PE32 8->31 dropped 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 61 Creates a thread in another existing process (thread injection) 8->61 63 Injects a PE file into a foreign processes 8->63 17 ieinstal.exe 3 2 8->17         started        21 notepad.exe 4 8->21         started        39 162.159.134.233, 443, 49742 CLOUDFLARENETUS United States 13->39 41 162.159.137.232, 443, 49741 CLOUDFLARENETUS United States 13->41 65 Machine Learning detection for dropped file 13->65 file5 signatures6 process7 dnsIp8 33 story43.ddns.net 84.38.135.151, 3670, 49740 DATACLUBLV Latvia 17->33 51 Tries to steal Mail credentials (via file access) 17->51 53 Increases the number of concurrent connection per server for Internet Explorer 17->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->55 23 cmd.exe 1 21->23         started        25 cmd.exe 1 21->25         started        signatures9 process10 process11 27 conhost.exe 23->27         started        29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 05:00:36 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kglg2mrkhhjlpqemqwsy4gnvlcvwpcdchbn6owvzbzu3qt66la7q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
4159a61a7c0571bee10a33f8d05ef51de606960476f66a00efcced87680be615
ModiLoader
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
ModiLoader
57f4246d683336ab606ba5831ce88a0ff47a42de652f72795fe76169195821e1
ModiLoader
60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3
ModiLoader
7ff8f569a151047f25f2f858e562e4b5b54d9af822105780f6c8a91ec4740124
ModiLoader
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
ModiLoader
b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
ModiLoader
b58c0db88d6026043bc0db1b5072cd2be7b0ceabf750a9d7275794d69fc04fe1
ModiLoader
bfea5a7839b0a45d3e0074b6e3882ada8f6aa913cf7e0d08ba290a49af855596
ModiLoader
fd5a7b200d38d962d9dc74639994bb1ecf989ecc189a5c2d06bc5196120f4ea5
ModiLoader
+ 427 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200817-x9lz5q1wfs/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tibs
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

r00 7a7a73d7642bccd06be09f9331a0b955dd735390a03d6a4499adb9a1c371c60d

ModiLoader

Executable exe 51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f

(this sample)

  
Dropped by
MD5 d5e1c74dd2fb6b4e73debfa75c1ffe2d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47064/
  
Dropped by
SHA256 7a7a73d7642bccd06be09f9331a0b955dd735390a03d6a4499adb9a1c371c60d

Comments