MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1590db94bd0396fb08a5fc451c24832e0b68db3c97f9c43ecb0f1c620cf325e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	1590db94bd0396fb08a5fc451c24832e0b68db3c97f9c43ecb0f1c620cf325e9
SHA3-384 hash:	858a90d976be7453bfb20a9e39d3a1acce4c2e5fb49b8467c08cdeaa640c52807db1f35a46a63ea8d959a3f787acacbd
SHA1 hash:	b92e368d2441a50084b9c21146edf969f5336295
MD5 hash:	05bfc1273b6391648dba170ef904abdb
humanhash:	bluebird-maine-bacon-michigan
File name:	HEUR-Trojan.Win32.Generic-1590db94bd0396fb08a5fc451c24832e0b68db3c97f9c43ecb0f1c620cf325e9
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	2'738'755 bytes
First seen:	2022-08-31 02:21:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6d2bdf26ab03acee0ac37132c1af3d94 (1 x ModiLoader)
ssdeep	49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlu:86SIROiFJiwp0xlrlu
TLSH	T113C5CFF6FFC22697C50E407A4E588B72E3F4127AD1A0AA0DB56B52205FD3E878D11F94
TrID	47.5% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 18.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 6.0% (.EXE) Win64 Executable (generic) (10523/12/4) 3.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	OSimao
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/306500/

Detection(s):

Win.Trojan.PonyStealer-9831667-0

Win.Malware.Razy-6979130-0

Win.Trojan.Razy-6804127-0

Win.Trojan.Fareit-403

Win.Malware.Razy-6911141-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Launching a process

Searching for synchronization primitives

Creating a file in the Windows directory

Creating a process with a hidden window

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

83%

Tags:

anti-vm fareit graybird greyware overlay packed pony razy shell32.dll zusy

Link:

https://www.filescan.io/uploads/630ec5be3e9e50b1baeeab58/reports/fba574b8-63ce-4550-884a-ad24bfe6db90/overview

Result

Verdict:

MALICIOUS

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1061103

Behaviour

Behavior Graph:

n/a

Detection:

pony

Link:

https://mwdb.cert.pl/sample/1590db94bd0396fb08a5fc451c24832e0b68db3c97f9c43ecb0f1c620cf325e9/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2018-11-06 09:32:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

40 of 42 (95.24%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cwinxff5aolpwcff7rcryjedfyfwrwz4s744ipwlb4ogedhtexuq._file

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony evasion persistence rat spyware stealer

Link:

https://tria.ge/reports/220831-ctkw8sfecl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Loads dropped DLL

Executes dropped EXE

Modifies Installed Components in the registry

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Pony,Fareit

Malware Config

C2 Extraction:

http://don.service-master.eu/gate.php

Unpacked files

SH256 hash:

1590db94bd0396fb08a5fc451c24832e0b68db3c97f9c43ecb0f1c620cf325e9

MD5 hash:

05bfc1273b6391648dba170ef904abdb

SHA1 hash:

b92e368d2441a50084b9c21146edf969f5336295

Detections:

win_pony_g0

Link:

https://www.unpac.me/results/48a4d187-3135-4987-9a8d-c7ad95172413/

Malware family:

Pony

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1590db94bd03/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Graybird

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1590db94bd0396fb08a5fc451c24832e0b68db3c97f9c43ecb0f1c620cf325e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Fareit Create hunting rule
Author:	kevoreilly
Description:	Fareit Payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	troj_win_vbkryjetor Create hunting rule
Author:	Jeff White (karttoon@gmail.com) @noottrak
Description:	Detects VBKryjetor trojan.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/306500/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample