MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 782034e7edabb7bffb20511c30d90c642602d81dd4a15bfeaa5969307ddc4f34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 782034e7edabb7bffb20511c30d90c642602d81dd4a15bfeaa5969307ddc4f34
SHA3-384 hash: bd7be86d278ee3db93f176b09c0cf063a9404aeb8b757de6afa38c7fcb1d87ecf49970600fa6375adf03dff881891883
SHA1 hash: 049ac47362afd6c5d8fbb8694af8221ca334f9cf
MD5 hash: 671c65be52e62e141f9bae803cb66c14
humanhash: sierra-blossom-delaware-kentucky
File name:DHL_119040 documento de recibo,pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'042'114 bytes
First seen:2020-11-06 07:05:59 UTC
Last seen:2020-11-06 08:43:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4200abc8996b175d017a27c24840eda2 (5 x ModiLoader, 1 x Loki)
ssdeep 12288:WuQSAIeXjs8BQPtd+TuaCzhnycIZTtkOFy2QSTgFRwoaQtkljsWF/sWF9HT:RRMj/BQPSTuVByrthFpQSMXwoh85
Threatray 1'230 similar samples on MalwareBazaar
TLSH 74259EA2A680D432D09315B84D5B97FC783DBEE02D24585B3BE4DE0C5F3A781B53A25B
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mailer8.netsurf.it
Sending IP: 109.233.122.206
From: DHL Express Cargo <delivery@dhl.com>
Subject: RE: ENTREGA DE CARGA DHL
Attachment: DHL_119040 documento de recibo,pdf.iso (contains "DHL_119040 documento de recibo,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Remcos ModiLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/522201
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected ModiLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310205 Sample: DHL_119040 documento de rec... Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Detected Remcos RAT 2->53 55 11 other signatures 2->55 8 DHL_119040 documento de recibo,pdf.exe 1 16 2->8         started        13 Ojxhdrv.exe 14 2->13         started        15 Ojxhdrv.exe 13 2->15         started        process3 dnsIp4 43 cdn.discordapp.com 162.159.133.233, 443, 49718, 49728 CLOUDFLARENETUS United States 8->43 39 C:\Users\user\AppData\Local\...\Ojxhdrv.exe, PE32 8->39 dropped 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 61 Creates a thread in another existing process (thread injection) 8->61 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 8->20         started        45 162.159.130.233, 443, 49725 CLOUDFLARENETUS United States 13->45 63 Multi AV Scanner detection for dropped file 13->63 65 Injects a PE file into a foreign processes 13->65 23 ieinstal.exe 13->23         started        47 192.168.2.1 unknown unknown 15->47 25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        41 insidelife1.ddns.net 216.38.7.231, 49726, 8811 ASN-GIGENETUS United States 20->41 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/782034e7edabb7bffb20511c30d90c642602d81dd4a15bfeaa5969307ddc4f34/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 06:24:52 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=paqdjz7nvo3376zakeodbwimmqtafwa52sqvx7vklfuta7o4j42a._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0abf0f61f1a7805aedb6e7b825de9ab83042f00d7ed6f0af817e45fe5c67c7bd
ModiLoader
31963673bc347fe4a6c795c90a0bcbddbf701158feab1b831bce2b082aeacf7f
ModiLoader
40ac0f2418edf402cc41fbb78bb902a261df8b6fb3355574accbf894f81b85b8
ModiLoader
46ff7f6619eda7e3b2c5b36a2d3f21b154749d31ae2695c4d23c992361ce1f58
ModiLoader
5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
ModiLoader
5b6f4a000f03183f2bbbebf07130189f5f5b9617dba37f9b90980ec228ba8180
ModiLoader
9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e
ModiLoader
9f6b63a12d79521712f768014b6b5f67b363c7a1dc4d42d356056b69979ac293
ModiLoader
c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
ModiLoader
e6466ffe692dee0c3fef6cc053389a2bb2a6764a10c687801733cc5f8c5f19d1
ModiLoader
+ 1'220 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201106-t5x9cpzxj2/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Modifies registry class
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
782034e7edabb7bffb20511c30d90c642602d81dd4a15bfeaa5969307ddc4f34
MD5 hash:
671c65be52e62e141f9bae803cb66c14
SHA1 hash:
049ac47362afd6c5d8fbb8694af8221ca334f9cf
Link:
https://www.unpac.me/results/18c95d67-1098-49d2-a3da-996fedd7a855/
SH256 hash:
5f024670eb7a3bc4db9275b056aae0ecc88b896bfd0142ce2a27fe3d33106670
MD5 hash:
78ea5cb15bc928c1886043baa35930a7
SHA1 hash:
3dbd8b412cf6841b541a2cc24d123de9f7988e69
Link:
https://www.unpac.me/results/18c95d67-1098-49d2-a3da-996fedd7a855/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 9887e8eb663c0613e4321090dbfa5c10ce4c8c1be1008f5b08d985aead68943b

ModiLoader

Executable exe 782034e7edabb7bffb20511c30d90c642602d81dd4a15bfeaa5969307ddc4f34

(this sample)

  
Dropped by
MD5 4002ff5fd1698d6069568b3ab050d8e7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9887e8eb663c0613e4321090dbfa5c10ce4c8c1be1008f5b08d985aead68943b

Comments