MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ModiLoader
Vendor detections: 7
| SHA256 hash: | 2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68 |
|---|---|
| SHA3-384 hash: | 50ec103f42ed7f6ce5e473d58b3bed3bc8d9167477d334f93fa2920a4c79ec38ca8927e00e66751d306d46101e1b227b |
| SHA1 hash: | e54df92418e386aa897e90ef7c635522de974ac5 |
| MD5 hash: | a65bb98a725359c25ea677337e7bc782 |
| humanhash: | vermont-aspen-minnesota-social |
| File name: | Setup.exe |
| Download: | download sample |
| Signature | ModiLoader |
| File size: | 1'268'880 bytes |
| First seen: | 2020-11-21 20:51:52 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger) |
| ssdeep | 24576:CQnX26d6bvGBy0fAx2xWmAE096Tl6Vz3OXqD/ePSTRluF0IfiZ:xTB3fWH9gsl3cqD/OkuFRo |
| Threatray | 37 similar samples on MalwareBazaar |
| TLSH | A14512A4753CC686E99C1573C89B841347F0BE92DCFBB61F39D973BA24B134228069D9 |
| Reporter |  JAMESWT_WT |
| Tags: | ModiLoader signed Traves Dreams |
Code Signing Certificate
| Organisation: | Traves Dreams |
|---|---|
| Issuer: | Traves Dreams |
| Algorithm: | sha1WithRSAEncryption |
| Valid from: | Nov 20 17:34:15 2020 GMT |
| Valid to: | Nov 21 17:34:15 2030 GMT |
| Serial number: | 770CF60313DAE19B4C466D02C12D7770 |
| Intelligence: | 2 malware samples on MalwareBazaar are signed with this code signing certificate |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | B62B1F927AB01E352915339B8C44964C9F29B23D4C1C88E7FD3D026D6F130C2A |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Intelligence
File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-11-21 20:47:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
22 of 29 (75.86%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 27 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Score:
10/10
Tags:
family:modiloader bootkit persistence spyware trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Reads user/profile data of web browsers
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68
MD5 hash:
a65bb98a725359c25ea677337e7bc782
SHA1 hash:
e54df92418e386aa897e90ef7c635522de974ac5
SH256 hash:
1dc40b62bf1230b706e3a53d14d41b1c577fb7da87240a459a69d3c9b5f9f579
MD5 hash:
fdb8fa5a1efceeac03dcf5030d2f6ca3
SHA1 hash:
35f9e4629297fc371a43a5f99494ef49f8ba7c18
SH256 hash:
90e2a293ccfdf4c2b16df188454478917b92d4bde3d031bdf80d14a2af9b37f9
MD5 hash:
97577a275b59a91de64dcc6806ad979d
SHA1 hash:
a8a4492d00d8dac62314d09b58bb679e3e7e6230
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
SH256 hash:
66eb68855fffd95841851b489befe77dbc223db83e9104689d6bd992a2a21df8
MD5 hash:
e301713c7371f25044c904472dce7b07
SHA1 hash:
e3a7a879c6531599c7fdc8f32a113bd513d1f1d6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.