MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28920de5f1a16d20eb01e17bee84c2144eefa938bf0653e4165e3ff18b9244cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28920de5f1a16d20eb01e17bee84c2144eefa938bf0653e4165e3ff18b9244cc
SHA3-384 hash: dcc90abeeb2cd8f0d0aff0e3724ceceb5f191c98da485d84942881619cabf8e05135dc94452b1263f91b9b9a840cc38c
SHA1 hash: d70d61353e3ce850e6891623336ebdab931d5530
MD5 hash: 69b17d0f9389404a1228d310198b33e9
humanhash: freddie-social-emma-blossom
File name:69b17d0f9389404a1228d310198b33e9
Download: download sample
Signature ModiLoader
Create hunting rule
File size:3'067'920 bytes
First seen:2022-07-04 14:53:09 UTC
Last seen:2022-07-15 02:54:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e0b1765e8b4f2995720881c16710f99b (1 x ModiLoader)
ssdeep 49152:ovU78mdvDXIV/nF2qR00PEqYuJu6odnepi4qGFbsel9ziUVbjikSN2i:oCvd7Yx3ECJ/odnEi4hbX9zimU7
Threatray 12'857 similar samples on MalwareBazaar
TLSH T18AE52271A5A00033C1F669768C4F896D242FBE202D68AD42BADA7F8D7F3F610791D197
TrID 29.1% (.EXE) Win64 Executable (generic) (10523/12/4)
27.6% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
8.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon cecacac8c8ead8b8 (1 x ModiLoader)
Reporter zbetcheckin
Tags:32 exe ModiLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.10518.32236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed virus wacatac
Link:
https://www.filescan.io/uploads/62c2ff49dd037e27032f06f5/reports/a2c60eff-616e-4d64-909a-338a880c9731/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/569bf534-a6d7-42b2-b798-5e375ce455a6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024269
Signature
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 656764 Sample: NmMtwsUK5u Startdate: 04/07/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Antivirus detection for URL or domain 2->62 64 3 other signatures 2->64 9 NmMtwsUK5u.exe 16 2->9         started        13 cellexprev.exe 2->13         started        process3 dnsIp4 44 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49753, 49760 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->44 46 w92wvg.db.files.1drv.com 9->46 48 2 other IPs or domains 9->48 74 Detected unpacking (creates a PE file in dynamic memory) 9->74 76 Query firmware table information (likely to detect VMs) 9->76 78 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->78 86 2 other signatures 9->86 15 NmMtwsUK5u.exe 27 9->15         started        80 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->80 82 Tries to evade analysis by execution special instruction (VM detection) 13->82 84 Hides threads from debuggers 13->84 signatures5 process6 dnsIp7 50 94.158.244.119, 49818, 80 MIVOCLOUDMD Moldova Republic of 15->50 52 77.91.102.57, 49775, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 15->52 34 C:\Users\user\AppData\Roaming\8m6225A9.exe, PE32 15->34 dropped 36 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->36 dropped 38 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 15->38 dropped 40 5 other files (none is malicious) 15->40 dropped 54 Tries to harvest and steal browser information (history, passwords, etc) 15->54 56 Tries to steal Crypto Currency Wallets 15->56 20 8m6225A9.exe 3 15->20         started        file8 signatures9 process10 file11 42 C:\Users\user\AppData\...\cellexprev.exe, PE32 20->42 dropped 66 Multi AV Scanner detection for dropped file 20->66 68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->68 70 Query firmware table information (likely to detect VMs) 20->70 72 3 other signatures 20->72 24 schtasks.exe 1 20->24         started        26 schtasks.exe 1 20->26         started        28 WerFault.exe 23 9 20->28         started        signatures12 process13 process14 30 conhost.exe 24->30         started        32 conhost.exe 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28920de5f1a16d20eb01e17bee84c2144eefa938bf0653e4165e3ff18b9244cc/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 11:38:27 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcja3zprufwsb2yb4f565bgccrho7kjyx4dfhzawly77dc4sitga._file
Verdict:
malicious
Similar samples:
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474
ModiLoader
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
ModiLoader
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
ModiLoader
72b86b3dfcc1b73f0d621e17e2924a2cd79dfd4a1cb4ba9353b66f3cf412a1c4
ModiLoader
dc6383269f02e6ed2718f01a43a913e462c8fe49326259eabf9d3fea83fa0a26
ModiLoader
e8e4a4c7c5c593136058722cabe2d42631feffde95d923f5fd7020b0c7286f22
ModiLoader
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
ModiLoader
+ 12'847 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader evasion themida trojan
Link:
https://tria.ge/reports/220704-r9vtpshhgl/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/c59adaa6-b790-4bc7-8009-da9fcb1f24b5/
SH256 hash:
3a8b330aa37ad8510d1827004fe8571d7a5de8365dad2dd6febffd95ce38f42d
MD5 hash:
4427518317d9efadb876bc54b7db525f
SHA1 hash:
a4f482adbecdd11dc6c5a7bccc7946a78b780557
Link:
https://www.unpac.me/results/c59adaa6-b790-4bc7-8009-da9fcb1f24b5/
SH256 hash:
28920de5f1a16d20eb01e17bee84c2144eefa938bf0653e4165e3ff18b9244cc
MD5 hash:
69b17d0f9389404a1228d310198b33e9
SHA1 hash:
d70d61353e3ce850e6891623336ebdab931d5530
Link:
https://www.unpac.me/results/c59adaa6-b790-4bc7-8009-da9fcb1f24b5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 28920de5f1a16d20eb01e17bee84c2144eefa938bf0653e4165e3ff18b9244cc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2253827/

Comments


Avatar
zbet commented on 2022-07-04 14:53:14 UTC

url : hxxps://my.cloudme.com/v1/ws2/:portable2022/:Setup_49/Setup.exe