MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef
SHA3-384 hash: 0968b8de805bb4c990c94e1a6f58e62323c0c0013bd775f76ec80054805894dc562cfcd34ff93c237e510ac118c2b81f
SHA1 hash: 54d8b708a7a1d638868de5b2495d022c58473b94
MD5 hash: 783df5d35ac43ec787df3b0448f46e38
humanhash: echo-maryland-lion-speaker
File name:PI209174.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'037'216 bytes
First seen:2020-10-22 07:08:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b370bd9acb33b65a37dff94bd60f0a01 (10 x ModiLoader, 2 x AveMariaRAT, 2 x Loki)
ssdeep 12288:pfbnamhHbXW763V8d8OAqUo3priVlP3lVJN2wNkmRPxkcIhlNweV+8YZqckawUNs:pf75m8OWo0l/iOk4PHIhlluYyPju
Threatray 415 similar samples on MalwareBazaar
TLSH FA258E12B7908436C1761A3DCE9FA7AC5D25FE402E24688B3BFD3D8D6F752812439297
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: rdns0.hyterm.xyz
Sending IP: 134.209.44.46
From: AL MIRAGE LLC. (RAK)<office@teleaurd.xyz>
Reply-To: <medpartstopcon.sg@gmail.com>
Subject: RE: RE: RE: PAYMENT
Attachment: Swift Copy.7z (contains "PI209174.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74515/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506743
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302555 Sample: PI209174.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 Machine Learning detection for sample 2->51 8 PI209174.exe 1 15 2->8         started        13 Odoadrv.exe 13 2->13         started        15 Odoadrv.exe 13 2->15         started        process3 dnsIp4 39 cdn.discordapp.com 162.159.134.233, 443, 49728 CLOUDFLARENETUS United States 8->39 41 discord.com 162.159.137.232, 443, 49726, 49741 CLOUDFLARENETUS United States 8->41 37 C:\Users\user\AppData\Local\...\Odoadrv.exe, PE32 8->37 dropped 55 Detected unpacking (changes PE section rights) 8->55 57 Detected unpacking (overwrites its own PE header) 8->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->59 69 3 other signatures 8->69 17 PI209174.exe 2 8->17         started        21 notepad.exe 4 8->21         started        43 162.159.129.233, 443, 49742 CLOUDFLARENETUS United States 13->43 61 Multi AV Scanner detection for dropped file 13->61 63 Machine Learning detection for dropped file 13->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->65 23 Odoadrv.exe 2 13->23         started        45 162.159.133.233, 443, 49745 CLOUDFLARENETUS United States 15->45 67 Injects a PE file into a foreign processes 15->67 25 Odoadrv.exe 15->25         started        file5 signatures6 process7 file8 35 C:\Windows\System32\drivers\etc\hosts, ASCII 17->35 dropped 53 Modifies the hosts file 17->53 27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef/
Threat name:
Win32.Trojan.Jacard
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 05:47:13 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgtthcpo3sjzy4da3wq5xkmgdwyz6i4ktwtocj6zm5hxeumupdxq._file
Verdict:
suspicious
Similar samples:
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
ModiLoader
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
ModiLoader
95aee7e64808e12f340834e6b49c3541c1e5e0b3a1ff1fcd7eb2591a83b619fb
ModiLoader
a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
ModiLoader
+ 405 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
trojan family:modiloader
Link:
https://tria.ge/reports/201022-ynd9tad9ne/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef
MD5 hash:
783df5d35ac43ec787df3b0448f46e38
SHA1 hash:
54d8b708a7a1d638868de5b2495d022c58473b94
Link:
https://www.unpac.me/results/23abeffa-d5b1-4295-bdb7-13ee499f0e2a/
SH256 hash:
163d82e5e6b84296c3d9f260d8b41cfdd74f520c1235788283a86e6b6584a751
MD5 hash:
7e2c44b61fccd7092df38cc22d04fa81
SHA1 hash:
f4dc75d758540ae19068e46b0ec412f14f742c8c
Link:
https://www.unpac.me/results/23abeffa-d5b1-4295-bdb7-13ee499f0e2a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

7z 52fed39f4131244bbca9e4fce5d67e3bc4ac1a21b1fa44f4bd5d02d30e39a91c

ModiLoader

Executable exe 19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef

(this sample)

  
Dropped by
MD5 190e93f8067cd1152ab1fa80fc2d7c6b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74515/
  
Dropped by
SHA256 52fed39f4131244bbca9e4fce5d67e3bc4ac1a21b1fa44f4bd5d02d30e39a91c

Comments