MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30ea297b7d70c7eba87d58039046582f18e94e5c811405959f21df9813309f12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30ea297b7d70c7eba87d58039046582f18e94e5c811405959f21df9813309f12
SHA3-384 hash: 863e685c0bba18f30d18e8ac6abaedbee3a5e008d5f7d87c764cd5c6b9dcab7feb80976c79e118bf99c12cd40fedfbc8
SHA1 hash: 7713a821d6483a8975da59c4edd3962bc263b852
MD5 hash: c42a4d6747fa487212769ed2a5d58fb5
humanhash: oven-dakota-undress-grey
File name:Setup.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'519'064 bytes
First seen:2020-12-01 07:21:47 UTC
Last seen:2020-12-01 08:58:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 346540d9c9d2b649489ed882b1804fd2 (1 x ModiLoader)
ssdeep 24576:Tmh06kfc4QazWW7BRagUCFNeRcTRH6n3J6jjyDiAMIyknjGyo:Kh7EjKsan8gmP4jGN
Threatray 309 similar samples on MalwareBazaar
TLSH FD656B22B1828837C0731B789D5FABA5693AFF103A24494777F05D4C5F3AB523D262A7
Reporter JAMESWT_WT
Tags:ModiLoader signed Smart Line Logistics

Code Signing Certificate

Organisation:DigiCert High Assurance EV Root CA
Issuer:DigiCert High Assurance EV Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 02AC5C266A0B409B8F0B79F2AE462577
Intelligence: 204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106171/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/551845
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Hijacks the control flow in another process
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30ea297b7d70c7eba87d58039046582f18e94e5c811405959f21df9813309f12/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 12:06:29 UTC
File Type:
PE (Exe)
Extracted files:
113
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdvcs635odd6xkd5labzarsyf4mosts4qekalfm7ehpzqezqt4ja._file
Verdict:
malicious
Similar samples:
03097e2591496756b735b464c936a05829b9d4b4e484829cae974beed56c6257
ModiLoader
17a87ce9f1b198eb1dacc4dde36af67169515d41b322d6bcbaf1861f2d812d39
ModiLoader
22e14a00dc576e766179076be3199fc04c28fa52fb74f5ba0a9692fbd742a3c0
ModiLoader
2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68
ModiLoader
3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf
ModiLoader
44eb61ad9603cc802e8a59f356dadedf4be9dc315862a9bb2eddec1bcc9288a8
ModiLoader
b2f7094f521419809d946a68870b02bdd3a928c5a4d57ccdaea3b8f49bb96151
ModiLoader
b3220a05f0d1fbd5739d07701d1ba84373f9574f0904a464395fcf63246dd1ed
ModiLoader
b9a23ce0f2e5309363143d5a659731015c710a0b834060f8ad0194a06d48ee01
ModiLoader
e37fafdd25f747743179e4b4a444b6c30767c727f343a20b7b3f2d09eaf3d485
ModiLoader
+ 299 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader bootkit persistence trojan
Link:
https://tria.ge/reports/201201-2x8d3g3p8e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Writes to the Master Boot Record (MBR)
Blacklisted process makes network request
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
30ea297b7d70c7eba87d58039046582f18e94e5c811405959f21df9813309f12
MD5 hash:
c42a4d6747fa487212769ed2a5d58fb5
SHA1 hash:
7713a821d6483a8975da59c4edd3962bc263b852
Link:
https://www.unpac.me/results/9f2735fb-cf77-4806-bfe3-25dd878c8a03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30ea297b7d70c7eba87d58039046582f18e94e5c811405959f21df9813309f12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 30ea297b7d70c7eba87d58039046582f18e94e5c811405959f21df9813309f12

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/106171/
  
URLhaus
https://urlhaus.abuse.ch/url/878713/
  
Delivery method
Distributed via web download

Comments