MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd90203d2caab14ccfb48f6fbb2c15b956b07c72395b671e06b68049c90ceb25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd90203d2caab14ccfb48f6fbb2c15b956b07c72395b671e06b68049c90ceb25
SHA3-384 hash: 8e6f2e00dd4e599eeba5fa7316c067e4d183b7490bda59cf462484a8ea3045f8fc4b25f655ddb491e07cb00ada4b499f
SHA1 hash: e181b22fe7a714fec9ed2d7506e3341fe926bbec
MD5 hash: 1e59a2c8298846c08aa900f05b18062f
humanhash: comet-nuts-whiskey-king
File name:DHL_677233.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'042'112 bytes
First seen:2020-11-06 17:23:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4200abc8996b175d017a27c24840eda2 (5 x ModiLoader, 1 x Loki)
ssdeep 12288:IuQSAIeXjs8BQPtd+TuaCzhnycIZTtkO1y2QSTgKRwoaQtkljsWF/sWF9sT:nRMj/BQPSTuVByrth1pQSMIwoh8I
Threatray 1'099 similar samples on MalwareBazaar
TLSH 65259EA2A680D432D09319B94D5BDBFC783DBEA02D24580B77D4DE0C5F3A781B53A25B
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: jovial-wilbur.52-162-254-219.plesk.page
Sending IP: 23.100.79.202
From: DHL <support@dhl.com>
Subject: Your AWB Shipment Has Arrived
Attachment: DHL_677233.IMG (contains "DHL_677233.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos ModiLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523580
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected ModiLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310890 Sample: DHL_677233.exe Startdate: 07/11/2020 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Detected Remcos RAT 2->49 51 7 other signatures 2->51 8 DHL_677233.exe 1 16 2->8         started        13 Vjstdrv.exe 14 2->13         started        15 Vjstdrv.exe 13 2->15         started        process3 dnsIp4 43 cdn.discordapp.com 162.159.135.233, 443, 49719, 49737 CLOUDFLARENETUS United States 8->43 39 C:\Users\user\AppData\Local\...\Vjstdrv.exe, PE32 8->39 dropped 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 Creates a thread in another existing process (thread injection) 8->57 17 notepad.exe 4 8->17         started        20 ieinstal.exe 2 3 8->20         started        59 Multi AV Scanner detection for dropped file 13->59 61 Injects a PE file into a foreign processes 13->61 23 ieinstal.exe 13->23         started        25 ieinstal.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 C:\Users\Public37atso.bat, ASCII 17->37 dropped 27 cmd.exe 1 17->27         started        29 cmd.exe 1 17->29         started        41 boot.awsmppl.com 185.244.30.217, 2266, 49728 DAVID_CRAIGGG Netherlands 20->41 file9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd90203d2caab14ccfb48f6fbb2c15b956b07c72395b671e06b68049c90ceb25/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 10:20:29 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wicapjmvkyuzt5ur5x3wlavxflla7dshfnwohqgw2aetsim5msq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0abf0f61f1a7805aedb6e7b825de9ab83042f00d7ed6f0af817e45fe5c67c7bd
ModiLoader
14a8520afb80692ed77075a5a9e797fa2822a91e5eb43603762669fb65ef2144
ModiLoader
2ccee108cf8e10eeef5129554e97fdb481d375475419be26cff2430360db2689
ModiLoader
40ac0f2418edf402cc41fbb78bb902a261df8b6fb3355574accbf894f81b85b8
ModiLoader
782034e7edabb7bffb20511c30d90c642602d81dd4a15bfeaa5969307ddc4f34
ModiLoader
7ad833f9f06a7ebbad69a40515654c8a7a1b3346cf93214e2638e33901133409
ModiLoader
ab922ef6d627d72050b28196f47fe7f027828b803e1a58ebe826d54b484f5491
ModiLoader
df1338550b2b7474d6143c26fd6ef7feeb25bdb5931b268df83a031f1856a8f7
ModiLoader
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
ModiLoader
f829c65731383f66a34a87af8aac93119ee04674c3dc8a07796fb470db03bd42
ModiLoader
+ 1'089 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/201106-1rm8ammyqj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
dd90203d2caab14ccfb48f6fbb2c15b956b07c72395b671e06b68049c90ceb25
MD5 hash:
1e59a2c8298846c08aa900f05b18062f
SHA1 hash:
e181b22fe7a714fec9ed2d7506e3341fe926bbec
Link:
https://www.unpac.me/results/ce636d28-79a2-44e7-b369-3d392703347e/
SH256 hash:
a8ec6e8bf1403137b204970f31c7e82d7958d7f6f2059ba3ab91120ae0c3a47b
MD5 hash:
5ea0a3cda70d7e9144e4b7944af6a027
SHA1 hash:
33dce049d0ff2d37a0ee485c76bf59e65b31642f
Link:
https://www.unpac.me/results/ce636d28-79a2-44e7-b369-3d392703347e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 00406b2860c654934e60caf73818bf20d19465583b437471df4095c75ad6af7b

ModiLoader

Executable exe dd90203d2caab14ccfb48f6fbb2c15b956b07c72395b671e06b68049c90ceb25

(this sample)

  
Dropped by
MD5 eba6164d9a3a9dfec186d0e53b240d73
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 00406b2860c654934e60caf73818bf20d19465583b437471df4095c75ad6af7b

Comments