MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5676023342556347feed6d6f487a3ad4e8820b84f2f80e71d343acf42b9e54f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5676023342556347feed6d6f487a3ad4e8820b84f2f80e71d343acf42b9e54f1
SHA3-384 hash: 1b59eeba7c4654950735b8f0e8103925cd20b4bac6a93c1d1cd57c885e99d49c0fe3529567d4f35ccbef1b311d2b8d99
SHA1 hash: d16ebba0b39d088a53d24ca880bc2efe8c864662
MD5 hash: 805afc559903e221cebffad7f350ab2c
humanhash: carpet-sodium-mockingbird-table
File name:Tuticorin Berth Shipment Invoices Recorded_AUG 2020.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:792'893 bytes
First seen:2020-08-17 13:53:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 925501b726051625fb692aeb5906e244 (7 x ModiLoader, 2 x RemcosRAT, 1 x NetWire)
ssdeep 12288:DgAk0EFhcIK4FpC8FkjqwXRZtyjHqqt4ONWe744bmhiSEAlUgBdj:cMCc4FpC8Fkjb0jTtrXF0rE
Threatray 252 similar samples on MalwareBazaar
TLSH 50F49EE2E2808437C1332A7BDD1B9E9968267F513E28DC466BE41D4C4F3A7D1783A197
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: muduvaali.com
Sending IP: 185.222.58.146
From: Muduvaali <info@muduvaali.com>
Subject: RI: Invoice Copy (MV NIUMATH) - Aug 2020 Berth
Attachment: Tuticorin Berth Shipment Invoices Recorded_AUG 2020.r00 (contains "Tuticorin Berth Shipment Invoices Recorded_AUG 2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47053/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Deleting a recently created file
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/433627
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 269175 Sample: Tuticorin Berth Shipment In... Startdate: 17/08/2020 Architecture: WINDOWS Score: 76 51 cdn.onenote.net 2->51 61 Sigma detected: Fodhelper UAC Bypass 2->61 63 Machine Learning detection for sample 2->63 65 Initial sample is a PE file and has a suspicious name 2->65 9 Qdbwsec.exe 13 2->9         started        13 Tuticorin Berth Shipment Invoices Recorded_AUG 2020.exe 1 15 2->13         started        16 Qdbwsec.exe 13 2->16         started        signatures3 process4 dnsIp5 53 162.159.128.233, 443, 49737, 49739 CLOUDFLARENETUS United States 9->53 55 162.159.134.233, 443, 49738 CLOUDFLARENETUS United States 9->55 67 Machine Learning detection for dropped file 9->67 69 Writes to foreign memory regions 9->69 71 Allocates memory in foreign processes 9->71 18 notepad.exe 4 9->18         started        21 ieinstal.exe 9->21         started        57 cdn.discordapp.com 162.159.133.233, 443, 49725, 49740 CLOUDFLARENETUS United States 13->57 59 discord.com 162.159.138.232, 443, 49724 CLOUDFLARENETUS United States 13->59 49 C:\Users\user\AppData\Local\Qdbwsec.exe, PE32 13->49 dropped 73 Creates a thread in another existing process (thread injection) 13->73 75 Injects a PE file into a foreign processes 13->75 23 notepad.exe 4 13->23         started        25 ieinstal.exe 13->25         started        27 notepad.exe 16->27         started        file6 signatures7 process8 file9 47 C:\Users\Public47atso.bat, ASCII 18->47 dropped 29 cmd.exe 1 18->29         started        31 cmd.exe 1 18->31         started        33 cmd.exe 1 23->33         started        35 cmd.exe 1 23->35         started        process10 process11 37 conhost.exe 29->37         started        39 reg.exe 1 29->39         started        41 conhost.exe 33->41         started        43 reg.exe 1 1 33->43         started        45 conhost.exe 35->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5676023342556347feed6d6f487a3ad4e8820b84f2f80e71d343acf42b9e54f1/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 05:37:41 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kz3aem2ckvrup7xnnvxuq6r22tuiec4e6l4a44otiowpik46ktyq._file
Verdict:
malicious
Similar samples:
0755d371e5549b67564d6dfa29600f76226a3dae42acaa8a6d0a82402e57bf86
ModiLoader
3c758c3133fb2a7c7c51b2ec84028759bc99e1f3ca3bc22c1046d90f79801f76
ModiLoader
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
ModiLoader
53136d19559089e0674af4ad81621b99a031741edcc486eb3d402fd180b1b77e
ModiLoader
58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a
ModiLoader
6fd0a04c0f0097c81deea7eed8ca5a4771411ab17232ecb13d75802373f29763
ModiLoader
701465275b6e24d9c03e00689b1cff2fd1645b5712976bba934f67d042a0c470
ModiLoader
9a20134812ee99ea27f90c22c55eff2020df0bbad574809d9a03ff1cad3a4f43
ModiLoader
aa840ddac1cbded575db7d3ee2d1e3102fd1c35d0a709f42209543f9913e438f
ModiLoader
c10cdf38e26339e4373c7e0a9a119381e703c7b8404ce0ed694fb3aae286d9b9
ModiLoader
+ 242 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200817-c35an1nkfx/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.porcber.com/k50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5676023342556347feed6d6f487a3ad4e8820b84f2f80e71d343acf42b9e54f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

r00 ba6498aee9c3f96a43e55c23390d071466710940537ec651679b7451ab228e91

ModiLoader

Executable exe 5676023342556347feed6d6f487a3ad4e8820b84f2f80e71d343acf42b9e54f1

(this sample)

  
Dropped by
MD5 ec16695a8f38d687ba27a4fe76612df2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47053/
  
Dropped by
SHA256 ba6498aee9c3f96a43e55c23390d071466710940537ec651679b7451ab228e91

Comments