MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db2e865b97ee2b6595c77323778cf32382fc862c6ba33776304b28b192b94d97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db2e865b97ee2b6595c77323778cf32382fc862c6ba33776304b28b192b94d97
SHA3-384 hash: e8be263c8c2354d87f691ceb38565fddca13d848f7a0fde9b92db8fa0357bc8d35e1c00032d01b8463e06050879a180a
SHA1 hash: d36182007609f124591c79ecc6efa9e489c6fe75
MD5 hash: 0445386faf1bdafbeae249327c7ee249
humanhash: carbon-cold-high-beer
File name:HSBC-873634.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'161'016 bytes
First seen:2020-10-27 10:08:39 UTC
Last seen:2020-10-27 12:15:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24a4caa171cf0a3c7ac6185c64ca5d29 (13 x ModiLoader, 3 x RemcosRAT)
ssdeep 12288:gJROS/D7RYUfXkIlC+23Oy55Wf/lJrQG4/uV9S7AlPBbrEZlgfkmHvXbCyVsQHwQ:gP3taIH23P5IJFqU3rLCX9Q
Threatray 593 similar samples on MalwareBazaar
TLSH CC359EE2A69504E6F162EA788C77466345F5BC3138388CA536EC2C097AFF1817D9ED43
Reporter abuse_ch
Tags:exe HSBC ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: h22.megalink.com
Sending IP: 200.75.160.22
From: United Overseas Bank <liamchua@uobgroup.com>
Subject: Incoming Payment Notification
Attachment: HSBC-873634.iso (contains "HSBC-873634.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79780/
Detection(s):
PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/513264
Signature
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db2e865b97ee2b6595c77323778cf32382fc862c6ba33776304b28b192b94d97/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 06:59:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mximw4x5yvwlfohomrxpdhteobpzbrmnorto5rqjmuldevzjwlq._file
Verdict:
malicious
Similar samples:
10cf748693a03e95d4f2efab81757ec3ad3905129e84b7dc8c491d9e5fbb550e
ModiLoader
1d8df098798099b8106386eb335e7f793d9ce4c14c863105aa2f260cea331c44
ModiLoader
3faaf4c39ac62ca025232a6482aaf902472af9e56d5be60e1e7478c29d30e71c
ModiLoader
49c1e306362700be6143f3dc9592a72ca5d9dc3d7237d9f8e4f14b5c14ea2155
ModiLoader
83413a3a3f07ee931dbfecaefed51d0b01d2b13b85920bdd485f0b2ce41acba5
ModiLoader
a899d2b8f1cf3d0a97107dcfecafb3239cade9e8aad01fe007f3b0d8762b8b7a
ModiLoader
c409017de52a4a6ad3a0cd3ab97ad17f9be172136155bf548bef49d7777cec1a
ModiLoader
cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26
ModiLoader
db28682ec511e61fa9a6425d0c7a908a99cf19b3f08c81b0e61bec26e24a15d6
ModiLoader
e3b9a35e9155fd3c927956f03d54da02f28cc27437537d67ba302ddb4a40e57b
ModiLoader
+ 583 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201027-yvwes2eae2/
Behaviour
Modifies registry key
Script User-Agent
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MALWARE_Win_DLAgent03
Create hunting rule
Author:ditekSHen
Description:Detects known Delphi downloader agent downloading second stage payload, notably from discord

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 7c0e80fcefa0b780b2dcfeb2979ba7abfcb1937942fcd770848302cc57fe5d89

ModiLoader

Executable exe db2e865b97ee2b6595c77323778cf32382fc862c6ba33776304b28b192b94d97

(this sample)

  
Dropped by
MD5 bcc20d71bcd874aa65e5efa614a49678
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7c0e80fcefa0b780b2dcfeb2979ba7abfcb1937942fcd770848302cc57fe5d89
Cape
Cape
https://www.capesandbox.com/analysis/79780/

Comments