MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594
SHA3-384 hash: 42c08217f87361bab075eb1f10d08e85fdae67eee2e745fcea2832b9eaf08dda2ca26241a9e71c2189d1b4a25d1ff160
SHA1 hash: d3456e6f1795f065abb5ccc0898f0b300ebb41ef
MD5 hash: 3df05e1f4f5c951d52524eb426bb9a3f
humanhash: carpet-carolina-shade-fanta
File name:Scan_Docs #INV 300489739-04-08-2020 Amended.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'164'125 bytes
First seen:2020-08-05 09:26:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55dd9dedcfe5ef6fe0004f7185f32bb2 (7 x ModiLoader)
ssdeep 24576:iJfdkxzf7b6jiwhDZcYNM7yXBpCjoGuQzmP:iFS4c5uQz8
Threatray 276 similar samples on MalwareBazaar
TLSH B545CF23B2A28871C115957DCE0782BE7E75BD617545268E37E0FD0CDE3AEC0792B0A6
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

From: "Sandeep Manohar (GAM)" <sandeepm@tukatech.com>
Subject: RE: Richa Global (219,Ggn) - AMC Docs reference INV
Attachment: Scan_Docs INV 300489739-04-08-2020 Amended.r00 (contains "Scan_Docs #INV 300489739-04-08-2020 Amended.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39354/
Detection(s):
SecuriteInfo.com.Generic.mg.3df05e1f4f5c951d.895.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Setting a single autorun event
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
58 / 100
Link:
https://www.joesandbox.com/analysis/410842
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Fodhelper UAC Bypass
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257741 Sample: Scan_Docs #INV 300489739-04... Startdate: 05/08/2020 Architecture: WINDOWS Score: 58 69 Malicious sample detected (through community Yara rule) 2->69 71 Yara detected AveMaria stealer 2->71 73 Sigma detected: Fodhelper UAC Bypass 2->73 75 4 other signatures 2->75 8 Scan_Docs #INV 300489739-04-08-2020 Amended.exe 4 4 2->8         started        13 Mcdmsec.exe 1 2->13         started        15 Mcdmsec.exe 1 2->15         started        process3 dnsIp4 59 story43.ddns.net 84.38.135.151, 3670, 49732 DATACLUBLV Latvia 8->59 61 cdn.discordapp.com 162.159.130.233, 443, 49726 CLOUDFLARENETUS United States 8->61 63 192.168.2.1 unknown unknown 8->63 57 C:\Users\user\AppData\Local\Mcdmsec.exe, PE32 8->57 dropped 79 Tries to steal Mail credentials (via file access) 8->79 81 Writes to foreign memory regions 8->81 83 Allocates memory in foreign processes 8->83 91 2 other signatures 8->91 17 notepad.exe 4 8->17         started        65 162.159.133.233, 443, 49736 CLOUDFLARENETUS United States 13->65 85 Machine Learning detection for dropped file 13->85 87 Creates a thread in another existing process (thread injection) 13->87 89 Injects a PE file into a foreign processes 13->89 19 notepad.exe 13->19         started        67 162.159.135.233, 443, 49738 CLOUDFLARENETUS United States 15->67 21 notepad.exe 15->21         started        file5 signatures6 process7 file8 24 cmd.exe 1 17->24         started        27 cmd.exe 1 17->27         started        29 cmd.exe 19->29         started        31 cmd.exe 19->31         started        55 C:\Users\Public55atso.bat, ASCII 21->55 dropped 33 cmd.exe 21->33         started        35 cmd.exe 21->35         started        process9 signatures10 77 Uses cmd line tools excessively to alter registry or file data 24->77 37 cmd.exe 1 2 24->37         started        39 conhost.exe 24->39         started        47 2 other processes 24->47 41 cmd.exe 2 27->41         started        49 3 other processes 27->49 51 2 other processes 29->51 43 conhost.exe 31->43         started        53 2 other processes 33->53 45 conhost.exe 35->45         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 08:15:15 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=46s3gdvuvwpvw62txvacovvgepdhz64ni3irjc2a3c6c2tvegwka._file
Verdict:
malicious
Similar samples:
041f85034f71a295c168af2719d1dfa7a5d346f57b16a4b17bd6a471e3ceb55e
ModiLoader
125cb3c64b38341e06ac31caa06939ce0a3a5ec9e8824d7bbb819a6d7e8c8a5f
ModiLoader
2a73b5bcf40617742a535178183021aa1f0ed55f85a431e1535a0b65030b6867
ModiLoader
331f79d447c67aba1c4c7c9453adf79eb9c631219720e5fbcc051af167dff87d
ModiLoader
33a76af55237d9ba192ee8496fd6c4adc489593705e81c663a890b39e1c92a8e
ModiLoader
4cffbdf1d3e2016475da67b15f0ab12a9658e0970f691cebe0bd161e2e1772b2
ModiLoader
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
ModiLoader
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
ModiLoader
b5279796301bec9d8b3de84dff29a98dfb7cfe9d549279fddfd624b61583960f
ModiLoader
c72cde3224e01da2283065c5a94d252f528c132019eb2f2656c86a7caa1006c2
ModiLoader
+ 266 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-5xpv62qd26/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Script User-Agent
Script User-Agent
Suspicious use of WriteProcessMemory
JavaScript code in executable
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
ServiceHost packer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

r00 ba9bfb0d60c82a7089416526c12c14a7bb094918d3b1238ff7ef84871168308e

ModiLoader

Executable exe e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594

(this sample)

  
Dropped by
MD5 da596d5fdc4f69e57e6a2fdae73e0090
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39354/
  
Dropped by
SHA256 ba9bfb0d60c82a7089416526c12c14a7bb094918d3b1238ff7ef84871168308e

Comments