MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac0c607a38214d7bf1cdfe073a5656d3565d4af43f4591702b398df6c36fd834. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac0c607a38214d7bf1cdfe073a5656d3565d4af43f4591702b398df6c36fd834
SHA3-384 hash: ad981fdca194883bb7f553950e7246a64b62b50b413c9a891b6ef9b6bda6f89597b8cff7de45761a6ebc24b9fbb43aa6
SHA1 hash: 03475997b566f167826e2394ad0b0e5d8ef82999
MD5 hash: c5144375e46344d6abb9784c2f477504
humanhash: muppet-connecticut-cup-cold
File name:EIVEDHTY.EXE
Download: download sample
Signature ModiLoader
Create hunting rule
File size:838'656 bytes
First seen:2021-06-25 06:20:33 UTC
Last seen:2021-06-25 06:53:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash da178bf3a0222ee4f058fcebd7c1ef62 (1 x ModiLoader, 1 x Formbook, 1 x DBatLoader)
ssdeep 12288:IIDlXMiKYI/rv5zsThfj3lDx4TSVnb7x3cKf/jhgnfPnbetkkkSd:IGtKYI/9wTBVSTSpb7x3c4/jld
Threatray 233 similar samples on MalwareBazaar
TLSH 37057CE1B75004F1E517763ADC1AB6E5B43C7EE0291498C2AAE87E0F3F35782745A06B
Reporter cocaman
Tags:DHL exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EIVEDHTY.EXE
Verdict:
Malicious activity
Analysis date:
2021-06-25 06:23:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/439ec9ca-9373-49d6-8a42-cd51eefc5900

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168228/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c677ccdd-332b-430c-be44-2984ff6aaba0
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/807930
Signature
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440342 Sample: EIVEDHTY.EXE Startdate: 25/06/2021 Architecture: WINDOWS Score: 88 44 u876134.nvpn.to 2->44 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected BitRAT 2->54 56 Yara detected Xmrig cryptocurrency miner 2->56 9 EIVEDHTY.EXE 1 24 2->9         started        14 Eivedht.exe 13 2->14         started        16 Eivedht.exe 14 2->16         started        signatures3 process4 dnsIp5 48 cdn.discordapp.com 162.159.129.233, 443, 49730, 49731 CLOUDFLARENETUS United States 9->48 42 C:\Users\Public\Libraries\...ivedht.exe, PE32 9->42 dropped 60 Writes to foreign memory regions 9->60 62 Creates a thread in another existing process (thread injection) 9->62 64 Injects a PE file into a foreign processes 9->64 18 secinit.exe 1 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        50 162.159.130.233, 443, 49747, 49758 CLOUDFLARENETUS United States 14->50 66 Multi AV Scanner detection for dropped file 14->66 26 secinit.exe 14->26         started        28 DpiScaling.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 u876134.nvpn.to 194.5.98.145, 2405, 49746, 49748 DANILENKODE Netherlands 18->46 58 Hides threads from debuggers 18->58 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac0c607a38214d7bf1cdfe073a5656d3565d4af43f4591702b398df6c36fd834/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 06:21:14 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqgga6ryefgxx4on7ydtuvsw2nlf2sxuh5czc4blhgg7nq3p3a2a._file
Verdict:
malicious
Similar samples:
028fb2b55806708dc61ab34ad360998449e5710eca9d0f85cae4987c6144acf6
ModiLoader
266321f3918aa86a1b7915453a294ca5c36bf2072647b549cdd35f526b3375a3
ModiLoader
29579f8372f95ea79bff6b28fd59625b3acb14797216742d93a110b3fa950d40
ModiLoader
4d345d3e9341f12df8e933686d66efde41d0ba682e67b8a3d23064b35b400429
ModiLoader
7a66553c936c327966af58c1b967b05767bfab5a68660dbcb79fb0724401e32c
ModiLoader
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
ModiLoader
92258f992fbf15509591d96b11cb50eda41cf0c19f35fdd089c311ca5eace947
ModiLoader
9eaf84474a458ff7b9847687ed30ab6533a54c5ae028a2ec14885884440975f7
ModiLoader
a945b79aac37747c2662abfbddce86f26b20f3f789c05999ffae204a69115edd
ModiLoader
ded8b59c294e753dda9510f0f4164d94d7a409592f60939e4912c9e9f0aeb841
ModiLoader
+ 223 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan upx
Link:
https://tria.ge/reports/210625-rpbqtra5bs/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
a962b300b10f701e3a3c8b4691a11161dd919a542e3ee79b890bfef413c15aa8
MD5 hash:
78c33a69fd2a9e77abcd07eed8b13cf7
SHA1 hash:
dc698bff43357d0e1b5e9c8ccfdf28e2a190aa02
Link:
https://www.unpac.me/results/76843868-45bf-406b-802c-7ca3a1277d09/
SH256 hash:
ac0c607a38214d7bf1cdfe073a5656d3565d4af43f4591702b398df6c36fd834
MD5 hash:
c5144375e46344d6abb9784c2f477504
SHA1 hash:
03475997b566f167826e2394ad0b0e5d8ef82999
Link:
https://www.unpac.me/results/76843868-45bf-406b-802c-7ca3a1277d09/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac0c607a38214d7bf1cdfe073a5656d3565d4af43f4591702b398df6c36fd834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 3bc97524433efa4870005e3e51ed2dc9e9574448b4dd9c9a6edf6c4674d1c495

ModiLoader

Executable exe ac0c607a38214d7bf1cdfe073a5656d3565d4af43f4591702b398df6c36fd834

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3bc97524433efa4870005e3e51ed2dc9e9574448b4dd9c9a6edf6c4674d1c495
Cape
Cape
https://www.capesandbox.com/analysis/168228/

Comments