MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 344ca08fa2fdb87931ceb1e336019231bfba189458be0d3fa5016b5895d96cc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 344ca08fa2fdb87931ceb1e336019231bfba189458be0d3fa5016b5895d96cc6
SHA3-384 hash: 6c3992070294988ee890bf71c9e36fe3ff294add242a1a53ee1646416706c7282e8eeebb5846fbbba437ef5ab1e80a33
SHA1 hash: f070047f9df99461c951f3973e3bf3e468a96a31
MD5 hash: 45e25807fc1bd31a0b8309c44afce6e4
humanhash: sixteen-echo-high-kilo
File name:lxpo.bin
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'218'752 bytes
First seen:2020-11-27 08:10:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 191f8035b5c11d5de8fd20cfdada0df2 (6 x ModiLoader)
ssdeep 24576:3RVtvQ+csIDccuZGhe1ppCmfwybRk8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYrzQ0t
Threatray 581 similar samples on MalwareBazaar
TLSH 9C45CF23B1B2843AC52175BEAE1B41ED6EB5FD717478710E37E06D0C8E3AA817D25193
Reporter JAMESWT_WT
Tags:ModiLoader

Code Signing Certificate

Organisation:Microsoft Time-Stamp Service
Issuer:Microsoft Time-Stamp PCA
Algorithm:sha1WithRSAEncryption
Valid from:Sep 7 17:58:55 2016 GMT
Valid to:Sep 7 17:58:55 2018 GMT
Serial number: 33000000CA7D32167C7EFD05030000000000CA
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 375A80AE663EDF24E46C4F5F48863018C3E54EC04580E014F7A7B67B4A405A1D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105793/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549056
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323633 Sample: lxpo.bin Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 22 mail.a-t-mould.com 2->22 24 a-t-mould.com 2->24 26 3 other IPs or domains 2->26 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AgentTesla 2->40 42 2 other signatures 2->42 7 lxpo.exe 1 2 2->7         started        12 Hqfadrv.exe 2->12         started        14 Hqfadrv.exe 2->14         started        signatures3 process4 dnsIp5 28 fanosethiopiatours.com 50.87.153.103, 49706, 49719, 49729 UNIFIEDLAYER-AS-1US United States 7->28 30 discord.com 162.159.128.233, 443, 49705, 49718 CLOUDFLARENETUS United States 7->30 34 3 other IPs or domains 7->34 20 C:\Users\user\AppData\Local\...\Hqfadrv.exe, PE32 7->20 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Detected unpacking (overwrites its own PE header) 7->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->48 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->50 16 lxpo.exe 2 7->16         started        52 Multi AV Scanner detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 56 Injects a PE file into a foreign processes 12->56 18 Hqfadrv.exe 12->18         started        32 192.168.2.1 unknown unknown 14->32 file6 signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/344ca08fa2fdb87931ceb1e336019231bfba189458be0d3fa5016b5895d96cc6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 08:11:05 UTC
File Type:
PE (Exe)
Extracted files:
86
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1cea11e60bce272e08ef8906924229cc33ba41dc2903ca2c397eb0ca70d85196
ModiLoader
1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3
ModiLoader
1ed66c4e244784bcbddb1f678881aefd150eee95206bb6905fc38383805fe7b0
ModiLoader
21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930
ModiLoader
29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4
ModiLoader
3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
ModiLoader
894f564c6c023c4baf66d72f13578bbfcd992b21f42f3f732887933d438ddbb7
ModiLoader
bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779
ModiLoader
d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415
ModiLoader
e2d0cdf0caec3c6dfa7a88840f6d6202c6d846d6ae89fe8f2ce271f3b36b6ba9
ModiLoader
+ 571 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201127-2mfz1gz58j/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader First Stage
AgentTesla
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
344ca08fa2fdb87931ceb1e336019231bfba189458be0d3fa5016b5895d96cc6
MD5 hash:
45e25807fc1bd31a0b8309c44afce6e4
SHA1 hash:
f070047f9df99461c951f3973e3bf3e468a96a31
Link:
https://www.unpac.me/results/bdf38dd5-d5f7-4e1a-97dc-d515cf6480df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/344ca08fa2fdb87931ceb1e336019231bfba189458be0d3fa5016b5895d96cc6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 344ca08fa2fdb87931ceb1e336019231bfba189458be0d3fa5016b5895d96cc6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/859801/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105793/

Comments