MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca56f164e3387d34ca23f7d609648ce13fb36596ec8bde7608abc8502e4f26cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca56f164e3387d34ca23f7d609648ce13fb36596ec8bde7608abc8502e4f26cb
SHA3-384 hash: 7e3b27eb58860bcb91428019b16dd926120d62b264e1748d0e7905be13679a79a3c44426ca04a83f09436f151157bba3
SHA1 hash: 4fba6a21aea39e5eba4c81141d8f4e46dd84878d
MD5 hash: 1204e0a681005b407f8515e622e6d253
humanhash: nine-six-pizza-quiet
File name:wire transfer notification advice.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'161'016 bytes
First seen:2020-10-27 12:48:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24a4caa171cf0a3c7ac6185c64ca5d29 (13 x ModiLoader, 3 x RemcosRAT)
ssdeep 12288:gJROS/D7RYUfXkIlC+23Oy55Wf/lJrQGe/uV9S7AlPBbrEZlgfkmHvXbCyVsQHwQ:gP3taIH23P5IJnqU3rLCX9Q
Threatray 402 similar samples on MalwareBazaar
TLSH AE358DE2A69504E6F122EA788D77466345F5BC3138388CA536EC2D097AFF1813D9ED43
Reporter abuse_ch
Tags:exe HSBC ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: post2-gw.beenets.com
Sending IP: 119.63.80.28
From: HSBC Bank plc <zofia.sitnik@hsbc.com>
Subject: Advice refund from HSBC
Attachment: wire transfer notification advice.rar (contains "wire transfer notification advice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Netwire
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79904/
Detection(s):
PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/513605
Signature
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca56f164e3387d34ca23f7d609648ce13fb36596ec8bde7608abc8502e4f26cb/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 09:09:27 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjlpczhdhb6tjsrd67laszem4e73gzmw5sf545qivpefalspe3fq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
30d4df590f8b7eff8b8ff1574384b3a9f1c7b72accf33f07f453d5a72177c419
ModiLoader
36ba79ff2db7b282786498c40ec83075e54b15f42021cbbc7289036e12e07a18
ModiLoader
42808813b67b34a144d03a26fb5a9cf6cd59e185e58d73750585654c09242e5b
ModiLoader
43f14fe4f9c4e617842b497b17c1e2884562466bb832d673d987760d1fc4b682
ModiLoader
49551fe3b312425f0a4f946b3a6eb9044bc7b2b7b1665288153295677384509e
ModiLoader
8546c35ea3d72e58b06dbcdb3d790fe9d39772ec986a2b89c406daab67efe79b
ModiLoader
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
ModiLoader
c6924bd1eede3eef4831175fe7a6144576b8378801d5c229e7a9b56e27f3a2e2
ModiLoader
e6c265d43fd926038d77f0caf1773f93c5d684fb2fce4af1f4474982eb494762
ModiLoader
eacd4bf6e9ef503d844adb44043c83bd6324b805b6587a3d2b4b27ec0143dedc
ModiLoader
+ 392 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:netwire botnet persistence stealer trojan
Link:
https://tria.ge/reports/201027-peq5jgnzcn/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Netwire
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/ca56f164e3387d34ca23f7d609648ce13fb36596ec8bde7608abc8502e4f26cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MALWARE_Win_DLAgent03
Create hunting rule
Author:ditekSHen
Description:Detects known Delphi downloader agent downloading second stage payload, notably from discord

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar 25bfe953313ef97dfaac9f6f624a2b09d1f98df76f103c62f65169efa6d532b0

ModiLoader

Executable exe ca56f164e3387d34ca23f7d609648ce13fb36596ec8bde7608abc8502e4f26cb

(this sample)

  
Dropped by
MD5 742ba13cf123914fcf79ada1ac2eb7c7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 25bfe953313ef97dfaac9f6f624a2b09d1f98df76f103c62f65169efa6d532b0
Cape
Cape
https://www.capesandbox.com/analysis/79904/

Comments