MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb639bf4f7fe2289c7aac466c738998a83d6057f961c6eee77e51bc4e24eee00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb639bf4f7fe2289c7aac466c738998a83d6057f961c6eee77e51bc4e24eee00
SHA3-384 hash: ccfb1cf3896c1d4af0deb877facbf33dee256b2f34d683d8f35234aec6244b9fe2561e7aa237244beab4d3d734b00397
SHA1 hash: f17f92163322a4a4833a5ddac98e5aacd1581bae
MD5 hash: 686e5ac685e3656b18fa45ef7f4660ef
humanhash: beryllium-cat-charlie-avocado
File name:eInvoicing,pdf.scr
Download: download sample
Signature ModiLoader
Create hunting rule
File size:746'256 bytes
First seen:2021-01-19 07:46:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5064414005440c05f6346292b90ee3f2 (7 x RemcosRAT, 3 x Loki, 2 x ModiLoader)
ssdeep 12288:xxVyof7rYaf81stsbFYooXiJ6N6BvUv22o:x7HJf81+sb3Wl6BvU+2o
Threatray 595 similar samples on MalwareBazaar
TLSH 00F47C66A2E44736C12B257D5D2BD775AC25BE0D3D28984E37E43C088F39272382D5AF
Reporter abuse_ch
Tags:DHL ModiLoader scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx-mail-3.vianova.it
Sending IP: 46.44.255.74
From: DHL Express <info@dhlexpressgrp.pw>
Subject: COMMERCIAL INVOICE AND BILL OF LANDING...19/01/2021
Attachment: eInvoicing,pdf.iso (contains "eInvoicing,pdf.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
eInvoicing,pdf.scr
Verdict:
Malicious activity
Analysis date:
2021-01-19 08:07:54 UTC
Tags:
trojan rat azorult
Link:
https://app.any.run/tasks/dae7fdd1-be5a-4c7c-9fff-cee1128c04a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112817/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584593
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb639bf4f7fe2289c7aac466c738998a83d6057f961c6eee77e51bc4e24eee00/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-19 07:46:23 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnrzx5hx7yritr5kyrtmooezrkb5mbl7syog53tx4un4jyso5yaa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
05a1356768e4475daeebaae76e486705d2d920e7e4d511c1436ea3f9a650c1df
ModiLoader
44b9088e8bd1c22c10d5ea77951a3dda0884a8564187a8f98a4472120f374c91
ModiLoader
525d2170d9907ad53a50dd046051aa84ecafae98f8109f5bca5ceda5984287b9
ModiLoader
5822fa47a5eab9578ec51ee113a156f455c6c8f60ce80d084663c2f31fe25e91
ModiLoader
62173847065d1aa1b93254e623844a1f223a4df4a06499f21b64fe82389fb327
ModiLoader
85a40f3f59fb797494adf184b0dbee2b3d8089e9686b9f484c5242c5a75085a9
ModiLoader
8abbd310dd3e242c31380c26ea16e9ac6380ac3cf53ad94fa368a70fa419abbf
ModiLoader
c63d4581dbe839bdb9865bcb6033e9e0ef459d1c5406e9f4fd3a05f48b46d0f1
ModiLoader
cb34bcf1043d10a15d4a823fe188296e161b88b630f090c8dc644de84b6105ae
ModiLoader
e9bcebb30731ce1c7ecca26eb2d6a717caf06824fd834775e571d4f684f9d279
ModiLoader
+ 585 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:modiloader infostealer trojan
Link:
https://tria.ge/reports/210119-mepv53eca6/
Behaviour
Checks processor information in registry
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
JavaScript code in executable
Loads dropped DLL
Azorult
Unpacked files
SH256 hash:
bb639bf4f7fe2289c7aac466c738998a83d6057f961c6eee77e51bc4e24eee00
MD5 hash:
686e5ac685e3656b18fa45ef7f4660ef
SHA1 hash:
f17f92163322a4a4833a5ddac98e5aacd1581bae
Link:
https://www.unpac.me/results/db57c5fe-a8c1-4585-8506-cedb2417a0be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb639bf4f7fe2289c7aac466c738998a83d6057f961c6eee77e51bc4e24eee00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso ecccba19ec91e0fd9fd4e599bd95f5f465d5c68bf774f17e7f8e4b3162ccb97b

ModiLoader

Executable exe bb639bf4f7fe2289c7aac466c738998a83d6057f961c6eee77e51bc4e24eee00

(this sample)

  
Dropped by
MD5 6de0721364919a95f26e5464d60d4d7d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112817/
  
Dropped by
SHA256 ecccba19ec91e0fd9fd4e599bd95f5f465d5c68bf774f17e7f8e4b3162ccb97b

Comments