MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f04efba216a70f67f7d86cb3cfdccb282adcf9bfa3b5fb01168befcf584639c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f04efba216a70f67f7d86cb3cfdccb282adcf9bfa3b5fb01168befcf584639c
SHA3-384 hash: 12b59505d9e675e76271b130c8ec69e48c7e15603663a38adbc23cdaee0ec6e4aba53b65b312cda55c563c474f172c48
SHA1 hash: 3780eb01e40f818186bb1c090ab47ffc5824be1c
MD5 hash: 14656f7a0cee96bc0dd879110154a770
humanhash: march-virginia-golf-quebec
File name:eInvoicing_pdf.bat
Download: download sample
Signature ModiLoader
Create hunting rule
File size:574'466 bytes
First seen:2020-10-06 06:49:03 UTC
Last seen:2020-10-06 08:12:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 670abb2f355225fa8d6e481bc6bb7364 (7 x ModiLoader, 1 x Loki)
ssdeep 12288:iP2oEhUMrM7FX/SdjY3ZrL26nnkKVJxwkI+m:iuzUMrYXaBKXrkKVUkIL
Threatray 277 similar samples on MalwareBazaar
TLSH 96C47D22B2925437C13216789C6FA3DD7E26BF503D786D461BF82C0D5F39782B92A193
Reporter abuse_ch
Tags:bat ModiLoader TNT


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: awef0.303.cicmo.ml
Sending IP: 159.89.9.44
From: "eInvoicing" <tntsupport.admin@tnt.com>
Subject: TNT Express Invoice: 2297456 - Account: 000011333
Attachment: eInvoicing_pdf.xz (contains "eInvoicing_pdf.bat")

Intelligence

File Origin
# of uploads :
3
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68494/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/482492
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293703 Sample: eInvoicing_pdf.bat Startdate: 06/10/2020 Architecture: WINDOWS Score: 84 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Lokibot 2->32 34 Machine Learning detection for sample 2->34 36 2 other signatures 2->36 8 eInvoicing_pdf.exe 13 2->8         started        process3 dnsIp4 24 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49720 GOOGLEUS United States 8->24 26 discord.com 162.159.135.232, 443, 49717, 49718 CLOUDFLARENETUS United States 8->26 28 doc-14-9o-docs.googleusercontent.com 8->28 38 Writes to foreign memory regions 8->38 40 Allocates memory in foreign processes 8->40 42 Creates a thread in another existing process (thread injection) 8->42 44 Injects a PE file into a foreign processes 8->44 12 notepad.exe 4 8->12         started        14 ieinstal.exe 8->14         started        signatures5 process6 process7 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        process8 20 conhost.exe 16->20         started        22 conhost.exe 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f04efba216a70f67f7d86cb3cfdccb282adcf9bfa3b5fb01168befcf584639c/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 06:49:50 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4co7orbnjypm735q3ftz7omwkbk3t437i5v7marnc7pz5memooa._file
Verdict:
suspicious
Similar samples:
15a5acf7f504d480ae0925b9f4f9e18b7a75f371d3afd1d1bc59ed30abaca08b
ModiLoader
2ba4b779356c3bf7167aea0f9b11ddf5044a6d4e654a14341b696f5152e3b3f7
ModiLoader
2dc919f5d220f45c43cf0de4399d30313ff6566b79e4f367e279a0bb71429b84
ModiLoader
3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d
ModiLoader
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
ModiLoader
4b183077cbfa209aab597f0cfe66178add15a0d590ba3abdf170ae708617bfef
ModiLoader
5e2ff37b8f894bb49e33a7dbfa804ea5561cb8acc7cbf95ed4b56d230b8cd148
ModiLoader
a07250cca55cec7ac1519d47af79edb65d306aa077fb2fa5b41eab48c33fb091
ModiLoader
b553eccde98f7d193d5518a765c8a22eb65dd5f29026c96045892c47525536de
ModiLoader
deeeb57609c406b43e7e77a38726a357ab063d110c06e4f1c56eb491c20659ce
ModiLoader
+ 267 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot family:modiloader
Link:
https://tria.ge/reports/201006-n84eaxjrsn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Reads user/profile data of web browsers
ModiLoader Second Stage
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/n6RgdJQ4XDaGY
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1f04efba216a70f67f7d86cb3cfdccb282adcf9bfa3b5fb01168befcf584639c
MD5 hash:
14656f7a0cee96bc0dd879110154a770
SHA1 hash:
3780eb01e40f818186bb1c090ab47ffc5824be1c
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/b6d761e1-db6a-4722-ae13-a5499548f2da/
SH256 hash:
9a55e66d47fbebac41860c406e51a01d2862067af77a8db964a256c8c27552a5
MD5 hash:
530287fe888921af73cc916cfabfa30b
SHA1 hash:
2c0b65510dcf95578f7874403bfb8f19f67e6a46
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/b6d761e1-db6a-4722-ae13-a5499548f2da/
SH256 hash:
8e99b369fb5f2d798ea3ce0fce8bd98b8a9013a65549969b42ab0dbca4bc1573
MD5 hash:
0052d69aa01b20dc53f505eecc682a52
SHA1 hash:
54f093631f0c8230e47611d171da185645d150b6
Link:
https://www.unpac.me/results/b6d761e1-db6a-4722-ae13-a5499548f2da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f04efba216a70f67f7d86cb3cfdccb282adcf9bfa3b5fb01168befcf584639c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

xz 475888c98cc9fe79613544ff3fda700982c9114486e6871364244273a754b733

ModiLoader

Executable exe 1f04efba216a70f67f7d86cb3cfdccb282adcf9bfa3b5fb01168befcf584639c

(this sample)

  
Dropped by
MD5 939552269130cc9da1e5a9ca48c95163
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68494/
  
Dropped by
SHA256 475888c98cc9fe79613544ff3fda700982c9114486e6871364244273a754b733

Comments