MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b0363c3b5a4dd50543d9afdb15e788a209212d030aad3d7f5d111c4259eda21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b0363c3b5a4dd50543d9afdb15e788a209212d030aad3d7f5d111c4259eda21
SHA3-384 hash: 038ee0d50ac996e01feeea24cb8e6f01eb965e223ecdb25caa25bc905c2641a945cbdbaf3d5ee4aedb9103b3cbab1c84
SHA1 hash: a160fcf7d1bee1778f06881eaa7123756733faec
MD5 hash: 5945b0aaa192683bb9f56f2f633251ca
humanhash: fillet-beer-video-pluto
File name:Ever Rose Order Specification REF-987NDH.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'049'600 bytes
First seen:2020-11-07 10:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ztsfrs/JDxQie93SCMfGFidDCHu7O1Gkr:JwrIQTJlMfGFidv7O1p
Threatray 1'035 similar samples on MalwareBazaar
TLSH 492539A4A1B1E35EC43AC4FBEE07783483C49E1DD69D7906D28E7E28123EDC9965F085
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mail0.soundtrav.xyz
Sending IP: 143.110.146.8
From: Ever Rose Co Group<harry@everrose.net>
Subject: Re:回复: Request for Quotation (Tender Opening date: Nov 18, 2020)
Attachment: Ever Rose Order Specification REF-987NDH.rar (contains "Ever Rose Order Specification REF-987NDH.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.1199.7328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/523800
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310996 Sample: Ever Rose Order Specificati... Startdate: 07/11/2020 Architecture: WINDOWS Score: 84 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected AntiVM_3 2->44 46 Machine Learning detection for sample 2->46 48 2 other signatures 2->48 9 Ever Rose Order Specification REF-987NDH.exe 3 2->9         started        13 Spoler.exe 2 2->13         started        process3 file4 38 Ever Rose Order Sp... REF-987NDH.exe.log, ASCII 9->38 dropped 54 Injects a PE file into a foreign processes 9->54 15 Ever Rose Order Specification REF-987NDH.exe 4 9->15         started        19 Ever Rose Order Specification REF-987NDH.exe 9->19         started        21 Spoler.exe 1 13->21         started        signatures5 process6 dnsIp7 40 discordapp.com 162.159.130.233, 443, 49717 CLOUDFLARENETUS United States 15->40 34 C:\Users\user\AppData\Roaming\...\Spoler.exe, PE32 15->34 dropped 36 C:\Users\user\...\Spoler.exe:Zone.Identifier, ASCII 15->36 dropped 23 Spoler.exe 3 15->23         started        26 conhost.exe 15->26         started        28 conhost.exe 21->28         started        file8 process9 signatures10 50 Multi AV Scanner detection for dropped file 23->50 52 Machine Learning detection for dropped file 23->52 30 Spoler.exe 1 1 23->30         started        process11 process12 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b0363c3b5a4dd50543d9afdb15e788a209212d030aad3d7f5d111c4259eda21/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 20:37:03 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmbwhq5vutovavb5tl63cxtyriqjeewqgcvnhv7v2ei4ijm63iqq._file
Verdict:
unknown
Similar samples:
00e8d6de1e2450594b8e61c5f8ce0b7c0b0aff075e72e79b7be035203511abbb
ModiLoader
06e8a637cece86663221e6f5a80675a67513a169b188e9014a3729ef6f4ac9d1
ModiLoader
376f3a94cb7d2af93a4a3eefb2bc9cf4972f4f6868ea8309fed1ba83bf81e1e8
ModiLoader
448d1ee4b34c5fb936332394406ed67edf714be610cb633d9580ceb0c64781ce
ModiLoader
768ba740b576d48a67f88e3d3a59ad71003561ad4e95f8e9d9005686ad1ef5e9
ModiLoader
7cf016920f62f4cd984f9fdc9c9976b07888c891b52a8c6c95c47cc3628bde21
ModiLoader
830a35f0de3ba2f90f79bca1d31b28026305edc8c25bc370ba90a9e8ef893b11
ModiLoader
dcd49164183272088d635cfedfb13caba79357c224bcba1bce288c26093200c2
ModiLoader
e0ecb16b450cfcfecdc7f258bfc5597a5718101ac97627018b2846f9c95e18b3
ModiLoader
f50e15e064da178ab886f00bed99a6a96ae3574e5cdd70a08991788818038d11
ModiLoader
+ 1'025 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
persistence
Link:
https://tria.ge/reports/201107-gzbab7qcpx/
Behaviour
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/f553880c-064e-432b-b8f0-f887b00f6f3f/
SH256 hash:
17208312c58aea7096e4e74721960baaf7700229b26b20b57371418ce2f4b334
MD5 hash:
9aa342314091a5f993e0e0f7dcf1ec76
SHA1 hash:
60b48e89a9a46dc319c2c4c1e7a2d068eedd1a2f
Link:
https://www.unpac.me/results/f553880c-064e-432b-b8f0-f887b00f6f3f/
SH256 hash:
0423658a4d2ff9e2f7568670a959bcfd43020947e5f88153549bea09b96df304
MD5 hash:
cf670adc0bc9092a83c133bb3ff21a13
SHA1 hash:
e92fc19046befae0fb2b46b5d78d02860a502216
Link:
https://www.unpac.me/results/f553880c-064e-432b-b8f0-f887b00f6f3f/
SH256 hash:
7b0363c3b5a4dd50543d9afdb15e788a209212d030aad3d7f5d111c4259eda21
MD5 hash:
5945b0aaa192683bb9f56f2f633251ca
SHA1 hash:
a160fcf7d1bee1778f06881eaa7123756733faec
Link:
https://www.unpac.me/results/f553880c-064e-432b-b8f0-f887b00f6f3f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar 81a0744d12f7600b90397729d6b83a07d08b6f558d09641532e5a42bbabbd282

ModiLoader

Executable exe 7b0363c3b5a4dd50543d9afdb15e788a209212d030aad3d7f5d111c4259eda21

(this sample)

  
Dropped by
MD5 c92c9010b75e8ad8aa8c39fed47a7399
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 81a0744d12f7600b90397729d6b83a07d08b6f558d09641532e5a42bbabbd282

Comments