MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
SHA3-384 hash: 7ed27b01aa5e7e4af509a8ce3f0a8fd3a8ed04a8f8b2c3dd8187256ee3ffeabce63a67ef7268f8857bb23e02138bf3e4
SHA1 hash: 7e9db2fa387a98d560a05b3b41ecf30910d50e2d
MD5 hash: 8ccdea6f47dd180695b95ba86c3b7f30
humanhash: lemon-magazine-thirteen-don
File name:NCB-041900.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:961'024 bytes
First seen:2020-10-18 10:52:07 UTC
Last seen:2020-10-19 01:33:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 30bcd8b78b734935c5e80cfbc7777835 (2 x NetWire, 2 x ModiLoader)
ssdeep 12288:Qx7VDvuMNzsF9H84exmnccguaBc+LfxKM0GVzYZowNw2AYJpQ:QxRoFa4ex7cg/3AwFG6
Threatray 495 similar samples on MalwareBazaar
TLSH 98157E36A3D24833D573163D9D1B67B8AD3ABE112A28B9463BF41C4C5F39641383A397
Reporter abuse_ch
Tags:exe ModiLoader NCB


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx1.e-tiger.net
Sending IP: 193.23.139.20
From: National Commercial Bank (NCB) <account@ptssyndicate.com>
Subject: Incoming Payment Notification - HSBC
Attachment: NCB-041900.iso (contains "NCB-041900.exe")

Intelligence

File Origin
# of uploads :
4
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72642/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/494622
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299761 Sample: NCB-041900.exe Startdate: 18/10/2020 Architecture: WINDOWS Score: 56 29 Multi AV Scanner detection for submitted file 2->29 6 Fsgndrv.exe 13 2->6         started        10 NCB-041900.exe 1 15 2->10         started        13 Fsgndrv.exe 13 2->13         started        process3 dnsIp4 23 162.159.133.233, 443, 49737, 49744 CLOUDFLARENETUS United States 6->23 25 192.168.2.1 unknown unknown 6->25 31 Multi AV Scanner detection for dropped file 6->31 15 ieinstal.exe 6->15         started        27 cdn.discordapp.com 162.159.135.233, 443, 49720 CLOUDFLARENETUS United States 10->27 21 C:\Users\user\AppData\Local\...\Fsgndrv.exe, PE32 10->21 dropped 17 ieinstal.exe 10->17         started        19 ieinstal.exe 13->19         started        file5 signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 08:00:45 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4r3jkbxeqlf5xlvogxvwk7tvz64udk3geu3xbclesntgwarykgsq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
3db67e5cc713186d3bc6e3ad98c72213bc7bfa65c481b368aa51691e68c592a0
ModiLoader
47816266a181f4e6c32529f14dd3e40c420510a9bf4982288d6b2c30d13ff3ad
ModiLoader
4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a
ModiLoader
5c14aee239971a12f6f9ac50cce4c9ecaca4639c10688ca050f9ce661569ac25
ModiLoader
7fa4e7e851fd8997ceb6a4b87912523dd682387f70eb840afc01806e08c26c2f
ModiLoader
91292df65ea051a8cd7009382fb66c6b3fed39e8ddc3a27e38c990e2b69ea942
ModiLoader
a5e7f494eb61368332811160955db5ef4dc5f07e6e3fbc7d5c0776023d3714c0
ModiLoader
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
ModiLoader
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
ModiLoader
e45ae394ea5f790dd4707808277412100254f527f6e3b0a370f3b779de0a6467
ModiLoader
+ 485 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat infostealer family:warzonerat persistence trojan family:modiloader
Link:
https://tria.ge/reports/201018-l792eaz526/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
Warzone RAT Payload
ServiceHost packer
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
MD5 hash:
8ccdea6f47dd180695b95ba86c3b7f30
SHA1 hash:
7e9db2fa387a98d560a05b3b41ecf30910d50e2d
Link:
https://www.unpac.me/results/269e229c-c9cf-4e01-9fd0-f253bb7f8c79/
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/269e229c-c9cf-4e01-9fd0-f253bb7f8c79/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso b216e605a9cb487e774a7101dcbcdd6e5efadb1b18e6499f1e0599eb9524da88

ModiLoader

Executable exe e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5

(this sample)

  
Dropped by
MD5 3a48fc293605d44d993c60cc37c72d2b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72642/
  
Dropped by
SHA256 b216e605a9cb487e774a7101dcbcdd6e5efadb1b18e6499f1e0599eb9524da88

Comments