MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b
SHA3-384 hash: 3e75af184b158894344f3a055cd641c2844e8ca4a8ab44a0072ae9d5625f85fe3ae35805aeb07ea889fbb7ee1c41517c
SHA1 hash: 3fd8e55a12bdf35200ee43e210951825ad0293d3
MD5 hash: b3cb5b2bc5c3033b1008ed7f7f6312db
humanhash: table-green-social-romeo
File name:PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'218'752 bytes
First seen:2020-11-28 09:28:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 191f8035b5c11d5de8fd20cfdada0df2 (6 x ModiLoader)
ssdeep 24576:3RVtvQ+csIDccuZGhe1ppCmfwybRm8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYFzQ0t
Threatray 322 similar samples on MalwareBazaar
TLSH 8745BF23B1B2847AC16175BEAE1B41EE6FB5FD613478750E37E0690C8E3AAC17D25093
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 185-86-106-187.pool.ovpn.com
Sending IP: 185.86.106.187
From: Deng Fen <sales@ecoloqicfurniture.com>
Reply-To: Deng Fen<sales@ecoloqicfurniture.com>
Subject: RE:Inquiry for November shipment #24777081
Attachment: PRO FORMA INVOICE - - MAGAUTKCP 24-Nov-20.iso (contains "PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105884/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/549942
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 19:56:34 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqxpmr4sby36rwshdqn7xq3esdxgx6j453tvzwibmgbdvz2niwfq._file
Verdict:
malicious
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
ModiLoader
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4
ModiLoader
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
ModiLoader
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
ModiLoader
a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
ModiLoader
fcb0efa3aa2fadbf33aa05b84a71129308f89fc0a2faa9cdf561b941aa321e87
ModiLoader
+ 312 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201128-q294hjwe5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Script User-Agent
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader First Stage
AgentTesla
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b
MD5 hash:
b3cb5b2bc5c3033b1008ed7f7f6312db
SHA1 hash:
3fd8e55a12bdf35200ee43e210951825ad0293d3
Link:
https://www.unpac.me/results/679d7b7a-8731-4769-b00a-442ecbc7f825/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso c1109dad306144b1d0b0199e626a581f3c0f0b129b1010c747e81923de133acf

ModiLoader

Executable exe 042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b

(this sample)

  
Dropped by
MD5 3dc1d90fd5495800ae3d0f7f5e665675
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105884/
  
Dropped by
SHA256 c1109dad306144b1d0b0199e626a581f3c0f0b129b1010c747e81923de133acf

Comments