MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
SHA3-384 hash: 2ec00c228343ef757ddd0c0b37563bfa1f848ed0686c0dee3c830b65532d0aae9921bda77bbdbc6059f9cf37b2bead22
SHA1 hash: b3c83263ddca61d29b5b2e3351bc23a40b4116ea
MD5 hash: 4776632e3c4a24e4a0d8a63061070c24
humanhash: undress-cup-fix-oxygen
File name:RFQPR2000293356.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'060'184 bytes
First seen:2020-12-09 11:01:33 UTC
Last seen:2020-12-09 13:02:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b533f6ccb714ea0a0f83e1cff60dbfe0 (8 x ModiLoader, 2 x RemcosRAT)
ssdeep 24576:vklbZpRNhPXNH/yLjaKuOfl4bE7D/cX+2hu0aQ:vkhRXNNKuOt4U/2vhuxQ
Threatray 570 similar samples on MalwareBazaar
TLSH D235BFE2F2D1457EF1320570DD079579A828EE182E8E9C4627FD2E0C4F796C6381B99B
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: s15-116-232.thcservers.com
Sending IP: 91.235.116.232
From: Sayumporn Sinworn <sayumporn-sinworn@pioneer-thailand.com>
Reply-To: sayumporn-sinworn@pioneer-thailand.com
Subject: RFQ PR 2000293356
Attachment: RFQPR2000293356.rar (contains "RFQPR2000293356.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQPR2000293356.exe
Verdict:
No threats detected
Analysis date:
2020-12-09 11:54:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c3db0861-87d3-4cb1-85a1-6127a0f97d3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107450/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558913
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328550 Sample: RFQPR2000293356.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 6 Elyldrv.exe 14 2->6         started        10 RFQPR2000293356.exe 1 16 2->10         started        13 Elyldrv.exe 13 2->13         started        process3 dnsIp4 24 162.159.134.233, 443, 49728 CLOUDFLARENETUS United States 6->24 26 162.159.137.232, 443, 49727 CLOUDFLARENETUS United States 6->26 44 Multi AV Scanner detection for dropped file 6->44 46 Writes to foreign memory regions 6->46 48 Allocates memory in foreign processes 6->48 15 ieinstal.exe 6->15         started        28 cdn.discordapp.com 162.159.133.233, 443, 49719 CLOUDFLARENETUS United States 10->28 30 discord.com 162.159.138.232, 443, 49718, 49733 CLOUDFLARENETUS United States 10->30 22 C:\Users\user\AppData\Local\...lyldrv.exe, PE32 10->22 dropped 50 Creates a thread in another existing process (thread injection) 10->50 52 Injects a PE file into a foreign processes 10->52 18 ieinstal.exe 2 10->18         started        32 162.159.135.233, 443, 49734 CLOUDFLARENETUS United States 13->32 20 ieinstal.exe 13->20         started        file5 signatures6 process7 dnsIp8 34 waxb.ddns.net 185.140.53.129, 3871, 49722, 49729 DAVID_CRAIGGG Sweden 18->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 08:48:05 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2sxdej6zdd4j2ojg2wcmjptmr4bi5jikqvc4ki5nljmyst2vnma._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
040a69fe6d68904cbb33cffa3930c2a9d2d4a16377c730e8db78386034e1bfd3
ModiLoader
2928d0d53b459f6b822fd781360a743b3548f31c31c012ba8a25b42235aff154
ModiLoader
42808813b67b34a144d03a26fb5a9cf6cd59e185e58d73750585654c09242e5b
ModiLoader
49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e
ModiLoader
8546c35ea3d72e58b06dbcdb3d790fe9d39772ec986a2b89c406daab67efe79b
ModiLoader
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
ModiLoader
8e3dd0c0c4913e5eb7de42a42bea5c3ff396542ee47737ed9eeb3b5439e95c6b
ModiLoader
ca56f164e3387d34ca23f7d609648ce13fb36596ec8bde7608abc8502e4f26cb
ModiLoader
e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
ModiLoader
f862eb253778c7b1c35349d798736124d7ee97db446217b2e5962fe2431d1e46
ModiLoader
+ 560 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence stealer trojan
Link:
https://tria.ge/reports/201209-tnp7k9fka2/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ServiceHost packer
ModiLoader, DBatLoader
Netwire
Unpacked files
SH256 hash:
0029ae468645fd6a0dec170ab13b11984d937204908ffcf3c636206dfb99affc
MD5 hash:
6f176b84516a9735e3dec241243ea7cb
SHA1 hash:
3b3b161bff6b4ede45f61ae2102d657f8e580dd5
Link:
https://www.unpac.me/results/d5a066c2-49a8-4cad-aa34-eaed6a52f395/
SH256 hash:
56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
MD5 hash:
4776632e3c4a24e4a0d8a63061070c24
SHA1 hash:
b3c83263ddca61d29b5b2e3351bc23a40b4116ea
Link:
https://www.unpac.me/results/d5a066c2-49a8-4cad-aa34-eaed6a52f395/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar fc636d2831a1620aa41ce4a64e53ddf5a3d9ee549dc211ffbf17f1116422d676

ModiLoader

Executable exe 56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58

(this sample)

  
Dropped by
MD5 f157da56daa41976c5a6dbf53d18961e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107450/
  
Dropped by
SHA256 fc636d2831a1620aa41ce4a64e53ddf5a3d9ee549dc211ffbf17f1116422d676

Comments