MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
SHA3-384 hash: b31453f17c9f4544e6f6905fca5cd8132876489a02362b948e57e942f6899de09c8f4c3c6c1e21936069e7214dd54441
SHA1 hash: 38fd7f247f0e87c958fedba1a430c8fb60bba0b4
MD5 hash: 760cff8f2cda554ccbdd63f0fd86cf7d
humanhash: five-hawaii-comet-lamp
File name:Civqczg_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'050'776 bytes
First seen:2020-10-15 11:23:45 UTC
Last seen:2020-10-15 12:15:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:9FT7lBs40jT0sUbtpW/nAOPq3Sp58wn7nLT6USE/7LYUx5t8SH1V:9vBsxTEi5d7nLT6USE/7kUPtF
Threatray 442 similar samples on MalwareBazaar
TLSH D425CF31F3E2CA36F25315318C2B5BB99532BE002A24945A76E63D4D9E367F079392D3
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

From: DHL Express Shipment <dhlSender@dhl.com>
Subject: DHL Express Shipment Confirmation
Attachment: DHL Shipment.gz (contains "Civqczg_Signed_.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71282/
Detection(s):
SecuriteInfo.com.Artemis760CFF8F2CDA.33.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492212
Signature
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298564 Sample: Civqczg_Signed_.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 Sigma detected: Fodhelper UAC Bypass 2->57 8 Civqczg_Signed_.exe 1 15 2->8         started        13 Civqdrv.exe 13 2->13         started        15 Civqdrv.exe 14 2->15         started        process3 dnsIp4 43 discord.com 162.159.128.233, 443, 49723, 49724 CLOUDFLARENETUS United States 8->43 45 cdn.discordapp.com 162.159.129.233, 443, 49725 CLOUDFLARENETUS United States 8->45 41 C:\Users\user\AppData\Local\...\Civqdrv.exe, PE32 8->41 dropped 59 Detected unpacking (changes PE section rights) 8->59 61 Detected unpacking (overwrites its own PE header) 8->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->63 71 2 other signatures 8->71 17 Civqczg_Signed_.exe 2 8->17         started        20 notepad.exe 4 8->20         started        23 wuapihost.exe 8->23         started        47 162.159.135.233, 443, 49744 CLOUDFLARENETUS United States 13->47 65 Multi AV Scanner detection for dropped file 13->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->67 69 Injects a PE file into a foreign processes 13->69 25 Civqdrv.exe 2 13->25         started        49 162.159.130.233, 443, 49750 CLOUDFLARENETUS United States 15->49 file5 signatures6 process7 file8 51 Modifies the hosts file 17->51 37 C:\Users\Public37atso.bat, ASCII 20->37 dropped 27 cmd.exe 1 20->27         started        29 cmd.exe 1 20->29         started        39 C:\Windows\System32\drivers\etc\hosts, ASCII 25->39 dropped signatures9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 07:50:45 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrhpkjhpo7vb5yf4w4ewwmupn6kkiyq56divcfhi75b6qnedxpda._file
Verdict:
malicious
Similar samples:
1718ca5c80e3a42cec338fea4417d36fda3facf65d2828ccf438098caedf9a7e
ModiLoader
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
ModiLoader
3e64029948a8c6ff5de11ab028df1acdc90b10a8953e7ffabd78fe3b3de84e61
ModiLoader
78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3
ModiLoader
8740660b719c87f2e9deb11c5fbda1a6ffd0c770a571d4945056d53e7a6b31c3
ModiLoader
8e0f1afb542d73ead6c9942171d40ba9117a2b6f39c386ba9e51b22b78c7005f
ModiLoader
ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab
ModiLoader
b8c6d9ced99143d34fd8829125c6ff46bc0c55569f401ec4d1354f3d0825c4c4
ModiLoader
c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
ModiLoader
dd4198b0a2a1c500bed498963e966d3476b778e1b917434847abb81c987fba55
ModiLoader
+ 432 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201015-1ths948qk2/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
MD5 hash:
760cff8f2cda554ccbdd63f0fd86cf7d
SHA1 hash:
38fd7f247f0e87c958fedba1a430c8fb60bba0b4
Link:
https://www.unpac.me/results/f8f1ccdc-d4eb-4416-9935-508ee85fd89d/
SH256 hash:
d5e65ed2333f906ef70945253f401c11c23fff095142c58c521a4c20f902aa8e
MD5 hash:
4d063a983fb28c30239f129f3e3b99c4
SHA1 hash:
70f2f5e0b14505a2491b304364954ab989c0c209
Link:
https://www.unpac.me/results/f8f1ccdc-d4eb-4416-9935-508ee85fd89d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

gz d9492f2d4debcceb306cb7f298de2e9092286c3787015fa649225c436f3e0887

ModiLoader

Executable exe b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6

(this sample)

  
Dropped by
MD5 144fdf8adb8abcb34f669d40ad6463d1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71282/
  
Dropped by
SHA256 d9492f2d4debcceb306cb7f298de2e9092286c3787015fa649225c436f3e0887

Comments