MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161
SHA3-384 hash: b5ab388d81a941381aaa0759473f898a0b6235721fb9329280560d77bd6ad6f23ac2158bfdf3ca15d4946e1c82ad5c74
SHA1 hash: dce56cb9dae0caef4a660aadfcc5d66348941a96
MD5 hash: 558eca40a2116c7742ab6a228e243186
humanhash: massachusetts-social-montana-spaghetti
File name:Nparuqz_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:636'568 bytes
First seen:2020-10-12 07:30:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f8ce99d6ad75c2b34e5fbb6b24c4395 (15 x ModiLoader, 4 x Loki, 2 x AZORult)
ssdeep 12288:sOZlAvXBW34aSHxF5en1PwGP0eAMNzVn2Vd13Sde/T:dlUM4aSHTUn1PQeLNzV2H11/T
Threatray 1'700 similar samples on MalwareBazaar
TLSH 4BD4AFF3F2F14433C16726795C1B97BD682ABE132D28AC462AF51D4C6F39681782B193
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: smtp.super.net.pk
Sending IP: 203.130.2.7
From: "Linda Silva"<yangzhenyu2016@126.com>
Reply-To: <yangzhenyu2016@126.com>
Subject: Re: Order Confirmation!
Attachment: Nparuqz_Signed_.rar (contains "Nparuqz_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69982/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/488099
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296506 Sample: Nparuqz_Signed_.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 64 33 Sigma detected: Fodhelper UAC Bypass 2->33 8 Nparuqz_Signed_.exe 13 2->8         started        process3 dnsIp4 29 cdn.discordapp.com 162.159.129.233, 443, 49740 CLOUDFLARENETUS United States 8->29 31 discord.com 162.159.137.232, 443, 49738, 49739 CLOUDFLARENETUS United States 8->31 35 Writes to foreign memory regions 8->35 37 Allocates memory in foreign processes 8->37 39 Creates a thread in another existing process (thread injection) 8->39 41 Injects a PE file into a foreign processes 8->41 12 notepad.exe 4 8->12         started        15 ieinstal.exe 8->15         started        signatures5 process6 file7 27 C:\Users\Public27atso.bat, ASCII 12->27 dropped 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        process8 process9 21 conhost.exe 17->21         started        23 reg.exe 1 1 17->23         started        25 conhost.exe 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 07:32:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7z3n4sscfgrqqf5r74iv4x6ya3elpi3qqsymyfrzngr7cytafqq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
09e967e35d3f03784901577e89322f008ed33c6b26453256d5b2492cab996c8d
ModiLoader
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
ModiLoader
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
ModiLoader
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
ModiLoader
814b0968761c0dbd4a43208cd82d150aa6608538abb845561257687ed9cd0524
ModiLoader
8867e72aaf3985ed148d3049c628d73ba0024e3129e466c17bd6a665be9e84f0
ModiLoader
89aa89c61fae1a3590e3e0e60bac9191774881f0cc931a4609151067520bb293
ModiLoader
96ff361eeb8ab440652d1cbb8b28146f8dd9ee8cf9885f84ff4592b2551da57f
ModiLoader
a702e991a5cf37a366df45fe22e62035795de3d38a36b87c17403c4283abf369
ModiLoader
f94e8615fb3b739ab3ad8ec81511b5439a72d4e865a5f9975aa524ac6036d3c2
ModiLoader
+ 1'690 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot family:modiloader
Link:
https://tria.ge/reports/201012-f78x7f6ccn/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
ModiLoader First Stage
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://marshs.info/sun/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161
MD5 hash:
558eca40a2116c7742ab6a228e243186
SHA1 hash:
dce56cb9dae0caef4a660aadfcc5d66348941a96
Link:
https://www.unpac.me/results/0d6315dc-abea-4058-a076-74a348b170aa/
SH256 hash:
daa3d9da269f74a3c5c079389d2ae4341c8ae53b243df4af180b61e74ed46a0a
MD5 hash:
643c946e91717ef3497c7a0b018a3165
SHA1 hash:
8b2bd8bab88ee8e4b86003124463050b90f8033e
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/0d6315dc-abea-4058-a076-74a348b170aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

979d9cee39933c4d846d74fb26d8b34d

ModiLoader

Executable exe 27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161

(this sample)

  
Dropped by
MD5 979d9cee39933c4d846d74fb26d8b34d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69982/

Comments