MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4
SHA3-384 hash: 11552983e674bdee8325dcea28ed452003e5cd19bc29a63cf9f6dc423a6a8254f8abc7fe117b9a5b6afb9619fa401a69
SHA1 hash: 5a2bef0eda7ab265654f6f4e1436e0cefb43cf27
MD5 hash: 1a3083bec91bf309688e15373f9e62e0
humanhash: red-monkey-white-florida
File name:PO#0007507_009389283882873PDF.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'027'952 bytes
First seen:2020-11-19 07:05:32 UTC
Last seen:2020-11-27 10:00:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 48a7221e817f731b84247a93962a71f2 (1 x ModiLoader)
ssdeep 24576:Me6zEOgbfWqUragK5TZxUScffBxsqPerMmzZC3N4Sr5RPEwdCkEC3NKbemaF8ONT:Me6IfW32nURxsqPerMmzZC3N4Sr5RPEO
Threatray 696 similar samples on MalwareBazaar
TLSH 2625AF12B7A28C77D1DB063DAF4B93741426BE72296C55072FE82E4D0A382412FDED97
Reporter abuse_ch
Tags:exe ModiLoader

Code Signing Certificate

Organisation:Microsoft Code Signing PCA
Issuer:Microsoft Root Authority
Algorithm:sha1WithRSA
Valid from:Aug 22 22:31:02 2007 GMT
Valid to:Aug 25 07:00:00 2012 GMT
Serial number: 2EAB11DC50FF5C9DCBC0
Intelligence: 22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: DBD5BD417B78886EDC1574F5E872F3E1C0B07522B6881B95B6DD872AEDBEB30D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: smtp4
Sending IP: 52.252.101.133
From: MAMS TRADING LLC - AA Turki Group <treybd@gmail.com>
Subject: Trade Inquiry from Saudi Arabia
Attachment: PO0007507_009389283882873PDF.iso (contains "PO#0007507_009389283882873PDF.exe")

Intelligence

File Origin
# of uploads :
31
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/542341
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320265 Sample: PO#0007507_009389283882873PDF.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 2 other signatures 2->51 6 PO#0007507_009389283882873PDF.exe 1 16 2->6         started        11 Vfesdrv.exe 14 2->11         started        13 Vfesdrv.exe 14 2->13         started        process3 dnsIp4 23 discord.com 162.159.135.232, 443, 49704 CLOUDFLARENETUS United States 6->23 25 cdn.discordapp.com 162.159.135.233, 443, 49705 CLOUDFLARENETUS United States 6->25 21 C:\Users\user\AppData\Local\...\Vfesdrv.exe, PE32 6->21 dropped 53 Detected unpacking (changes PE section rights) 6->53 55 Detected unpacking (overwrites its own PE header) 6->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->57 59 Contains functionality to detect sleep reduction / modifications 6->59 15 PO#0007507_009389283882873PDF.exe 2 6->15         started        27 162.159.134.233, 443, 49728, 49730 CLOUDFLARENETUS United States 11->27 29 162.159.137.232, 443, 49727 CLOUDFLARENETUS United States 11->29 61 Multi AV Scanner detection for dropped file 11->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->63 65 Injects a PE file into a foreign processes 11->65 19 Vfesdrv.exe 2 11->19         started        31 162.159.136.232, 443, 49729 CLOUDFLARENETUS United States 13->31 file5 signatures6 process7 dnsIp8 33 suncurepelletmill.com 192.186.237.168, 49757, 587 AS-26496-GO-DADDY-COM-LLCUS United States 15->33 35 mail.suncurepelletmill.com 15->35 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->37 39 Tries to steal Mail credentials (via file access) 15->39 41 Tries to harvest and steal ftp login credentials 15->41 43 Tries to harvest and steal browser information (history, passwords, etc) 15->43 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 06:45:25 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhhs7b55sub53vs6bdu2vmpibp7pggehhzsjzig3jzvqphzrxgsa._file
Verdict:
malicious
Similar samples:
19a73389eedc939c7060dda1dba9861db19f238a9da6e127d9674f72519478ef
ModiLoader
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
ModiLoader
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
ModiLoader
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
ModiLoader
fcb0efa3aa2fadbf33aa05b84a71129308f89fc0a2faa9cdf561b941aa321e87
ModiLoader
+ 686 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201119-74mnaehtk2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader First Stage
AgentTesla
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4
MD5 hash:
1a3083bec91bf309688e15373f9e62e0
SHA1 hash:
5a2bef0eda7ab265654f6f4e1436e0cefb43cf27
Link:
https://www.unpac.me/results/2dc0990d-b810-4494-83fd-ba8cea303b9f/
SH256 hash:
f2c4cea13115d520e1699b88ef19fb9417455c7648baa4dbdd4301a7848e0456
MD5 hash:
28815c180be772c6ef01c44983023016
SHA1 hash:
b4a9c55f65aa9e05446e10f346478682d195a54b
Link:
https://www.unpac.me/results/2dc0990d-b810-4494-83fd-ba8cea303b9f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 7ce7b76587ef2eeeeb1903f19017d0140597a65b0a020524b5caf930acd4978e

ModiLoader

Executable exe 29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4

(this sample)

  
Dropped by
MD5 6e51f7f7264da47777eb035512ab1b55
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7ce7b76587ef2eeeeb1903f19017d0140597a65b0a020524b5caf930acd4978e

Comments