MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
SHA3-384 hash: 7e8ceec1cc62c85cfd5d29abe0d2045ca672b55d94fffe0d7e4183abe1c0ccb4d7e84e67d11ecee004a8b9eede1e2da3
SHA1 hash: cfd12adeae6fc6aff845564c4f87f49562e1f7eb
MD5 hash: 5f81083596a04ce9ad2527ba5636e12c
humanhash: football-floor-florida-idaho
File name:Quwzbzs_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'050'776 bytes
First seen:2020-10-15 11:55:31 UTC
Last seen:2020-10-15 13:28:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:9FT7lBs40jT0sUbtpW/nAOPq3Sp58Vn7nLT6USE/7LYUx5t8SH1V:9vBsxTEi5Y7nLT6USE/7kUPtF
Threatray 446 similar samples on MalwareBazaar
TLSH 5525CF31F3E2CA36F2521531CC2B5BB99532BE001924945A76E63C4DAE36BF079792D3
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: localhost
Sending IP: 89.248.168.148
From: DHL Express Shipment <dhlSender@dhl.com>
Subject: DHL Express Shipment Notification
Attachment: dhl shipment_pdf.z (contains "Quwzbzs_Signed_.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71349/
Detection(s):
SecuriteInfo.com.Artemis5F81083596A0.8651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492314
Signature
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298654 Sample: Quwzbzs_Signed_.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 42 nagano-19599.herokussl.com 2->42 44 elb097307-934924932.us-east-1.elb.amazonaws.com 2->44 46 api.ipify.org 2->46 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected AgentTesla 2->60 62 Sigma detected: Fodhelper UAC Bypass 2->62 64 May check the online IP address of the machine 2->64 9 Quwzbzs_Signed_.exe 1 15 2->9         started        14 Quwzdrv.exe 13 2->14         started        16 Quwzdrv.exe 14 2->16         started        signatures3 process4 dnsIp5 48 cdn.discordapp.com 162.159.134.233, 443, 49734 CLOUDFLARENETUS United States 9->48 50 discord.com 162.159.136.232, 443, 49732, 49733 CLOUDFLARENETUS United States 9->50 40 C:\Users\user\AppData\Local\...\Quwzdrv.exe, PE32 9->40 dropped 66 Detected unpacking (changes PE section rights) 9->66 68 Detected unpacking (overwrites its own PE header) 9->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->70 78 2 other signatures 9->78 18 Quwzbzs_Signed_.exe 2 9->18         started        21 notepad.exe 4 9->21         started        52 162.159.129.233, 443, 49749, 49755 CLOUDFLARENETUS United States 14->52 54 162.159.135.232, 443, 49747, 49748 CLOUDFLARENETUS United States 14->54 72 Multi AV Scanner detection for dropped file 14->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->74 76 Injects a PE file into a foreign processes 14->76 24 Quwzdrv.exe 2 14->24         started        file6 signatures7 process8 file9 56 Modifies the hosts file 18->56 36 C:\Users\Public36atso.bat, ASCII 21->36 dropped 26 cmd.exe 1 21->26         started        28 cmd.exe 1 21->28         started        38 C:\Windows\System32\drivers\etc\hosts, ASCII 24->38 dropped signatures10 process11 process12 30 conhost.exe 26->30         started        32 reg.exe 1 1 26->32         started        34 conhost.exe 28->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 09:45:44 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fg3cgzoquw4wf5cveyvvllx4shpsbvoquccupw7mz3bdcmny56a._file
Verdict:
malicious
Similar samples:
1718ca5c80e3a42cec338fea4417d36fda3facf65d2828ccf438098caedf9a7e
ModiLoader
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
ModiLoader
3e64029948a8c6ff5de11ab028df1acdc90b10a8953e7ffabd78fe3b3de84e61
ModiLoader
78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3
ModiLoader
8740660b719c87f2e9deb11c5fbda1a6ffd0c770a571d4945056d53e7a6b31c3
ModiLoader
8e0f1afb542d73ead6c9942171d40ba9117a2b6f39c386ba9e51b22b78c7005f
ModiLoader
ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
b8c6d9ced99143d34fd8829125c6ff46bc0c55569f401ec4d1354f3d0825c4c4
ModiLoader
ce30dea0b1d4fa181753600eb63c1d2f1a7de1bd848dcdbe196f6a35afef0ea9
ModiLoader
+ 436 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201015-93w4ln24mj/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
MD5 hash:
5f81083596a04ce9ad2527ba5636e12c
SHA1 hash:
cfd12adeae6fc6aff845564c4f87f49562e1f7eb
Link:
https://www.unpac.me/results/bc8797a4-1523-4f99-8972-e00183987f20/
SH256 hash:
fff782830f323f49473402aac087bea89fa319afd0fe504476c9e8b038f9fce8
MD5 hash:
453044cd27142581835d24c31905ab10
SHA1 hash:
82e53802758d48321c9cf737b83547ae19b93286
Link:
https://www.unpac.me/results/bc8797a4-1523-4f99-8972-e00183987f20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

z 32f6d9ec61b1c35cb9f44248cde9fa23d12f6d11678f463d856db60c2f5eb742

ModiLoader

Executable exe e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c

(this sample)

  
Dropped by
MD5 963f3c7c35c1d253d2d62f57078a9011
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71349/
  
Dropped by
SHA256 32f6d9ec61b1c35cb9f44248cde9fa23d12f6d11678f463d856db60c2f5eb742

Comments