MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930
SHA3-384 hash: 8c3b77a9c9fc10007043de214c2739c49fa3e0cf1e22fcc161ad9d8251fc901d5d12b77e90b51feb0287e6b7d5dc1bea
SHA1 hash: 4e72608c340c7b18f4ff359552da57c9dee29e99
MD5 hash: 5d3d23738b2b4bb1f7fe3371ea7ecc76
humanhash: charlie-five-spaghetti-india
File name:USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'346'928 bytes
First seen:2020-11-20 06:48:28 UTC
Last seen:2020-11-27 09:52:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f8c170f32c73b28f480a91184443651 (1 x ModiLoader)
ssdeep 24576:aVggyMBuni3KmeVXHY7hiBrGNLYragKkTZxUScffBxsqPerMmzZC3N4Sr5RPEwdO:a5uWVLYLnURxsqPerMmzZC3N4Sr5RPEO
Threatray 687 similar samples on MalwareBazaar
TLSH A455AF53F6428C3BC2230A3CBD5B976465257E163E2C85167BF94E4C4B2A2823CDF997
Reporter cocaman
Tags:exe HSBC ModiLoader

Code Signing Certificate

Organisation:Microsoft Code Signing PCA
Issuer:Microsoft Root Authority
Algorithm:sha1WithRSA
Valid from:Aug 22 22:31:02 2007 GMT
Valid to:Aug 25 07:00:00 2012 GMT
Serial number: 2EAB11DC50FF5C9DCBC0
Intelligence: 22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: DBD5BD417B78886EDC1574F5E872F3E1C0B07522B6881B95B6DD872AEDBEB30D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
28
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544037
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321120 Sample: USD55,260.84_PAYMENT_ADVICE... Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 2 other signatures 2->51 6 USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE 1 16 2->6         started        11 Owdpdrv.exe 14 2->11         started        13 Owdpdrv.exe 14 2->13         started        process3 dnsIp4 23 cdn.discordapp.com 162.159.135.233, 443, 49734, 49747 CLOUDFLARENETUS United States 6->23 25 discord.com 162.159.138.232, 443, 49733, 49746 CLOUDFLARENETUS United States 6->25 21 C:\Users\user\AppData\Local\...\Owdpdrv.exe, PE32 6->21 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->55 57 Injects a PE file into a foreign processes 6->57 15 USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE 2 6->15         started        27 192.168.2.1 unknown unknown 11->27 59 Multi AV Scanner detection for dropped file 11->59 61 Detected unpacking (changes PE section rights) 11->61 63 Detected unpacking (overwrites its own PE header) 11->63 19 Owdpdrv.exe 2 11->19         started        29 162.159.133.233, 443, 49749 CLOUDFLARENETUS United States 13->29 31 162.159.136.232, 443, 49748 CLOUDFLARENETUS United States 13->31 file5 signatures6 process7 dnsIp8 33 suncurepelletmill.com 192.186.237.168, 49769, 587 AS-26496-GO-DADDY-COM-LLCUS United States 15->33 35 mail.suncurepelletmill.com 15->35 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->37 39 Tries to steal Mail credentials (via file access) 15->39 41 Tries to harvest and steal ftp login credentials 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 06:49:20 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egyfji5tdg4vbcd674zj5ozdpjouilthiluu2zws74l43bpy3eya._file
Verdict:
malicious
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
ModiLoader
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4
ModiLoader
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
ModiLoader
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
ModiLoader
a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
ModiLoader
fcb0efa3aa2fadbf33aa05b84a71129308f89fc0a2faa9cdf561b941aa321e87
ModiLoader
+ 677 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201120-6bhedfa982/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930
MD5 hash:
5d3d23738b2b4bb1f7fe3371ea7ecc76
SHA1 hash:
4e72608c340c7b18f4ff359552da57c9dee29e99
Link:
https://www.unpac.me/results/bef8342b-1de4-4951-9394-ad89fac84a56/
SH256 hash:
64b30fb1cb2f39e06418682feefc4761eb503218bbcb9adfa10d8cbd41c47167
MD5 hash:
a7628fac7aeaee7606421f2614eb695b
SHA1 hash:
f50ed7c32fa5ca75c3c447fce2ce1da22677021c
Link:
https://www.unpac.me/results/bef8342b-1de4-4951-9394-ad89fac84a56/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 3a38ca6a619c6befb1d262caa56c00206d765af4cdfcf107f69bae3ebd0ab32e

ModiLoader

Executable exe 21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3a38ca6a619c6befb1d262caa56c00206d765af4cdfcf107f69bae3ebd0ab32e

Comments