MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e
SHA3-384 hash: f2f7e65f0b5b0168ef49bd68c799786e7cce250390e9fc2467b538c73163213262a852beb2507fcc13b55d10ea4a56f5
SHA1 hash: 26a55ab918e9ab0f085a4412f4b908a1354b0b94
MD5 hash: 303f5856e66652b97110410d985f124a
humanhash: hydrogen-texas-glucose-snake
File name:Q-20E122269-USD INQUIRY NO.201200019_DOC .EXE
Download: download sample
Signature ModiLoader
Create hunting rule
File size:755'808 bytes
First seen:2020-12-14 14:26:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c3d6710a07e2881790555234ea14179a (8 x ModiLoader, 1 x Formbook, 1 x ISRStealer)
ssdeep 12288:L4Per7j2cD2/gERzL6XeF03yKnkn3Hp2EAIFOQYNd:LVKc63GkSnioEvOfd
Threatray 738 similar samples on MalwareBazaar
TLSH 75F49F13F2904437D16716799C1F97A8AC2ABE103E349D8A6BF93D0C4F3A791782A1D7
Reporter cocaman
Tags:exe ModiLoader

Code Signing Certificate

Organisation:UTN-USERFirst-Object
Issuer:AddTrust External CA Root
Algorithm:sha1WithRSAEncryption
Valid from:Jun 7 08:09:10 2005 GMT
Valid to:May 30 10:48:38 2020 GMT
Serial number: 421AF2940984191F520A4BC62426A74B
Intelligence: 307 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2CF1EC6AB594113BD538DF6D5C940E3319B424F8756D975888072C6AB558B771
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Q-20E122269-USD INQUIRY NO.201200019_DOC .EXE
Verdict:
Malicious activity
Analysis date:
2020-12-14 14:35:50 UTC
Tags:
installer
Link:
https://app.any.run/tasks/faed27bb-5e10-4c9f-a226-80be7ad4cd1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107972/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Strictor.253009.11269.9482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a window
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/562221
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (a lot of spaces)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330201 Sample: Q-20E122269-USD INQUIRY NO.... Startdate: 14/12/2020 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for submitted file 2->53 55 Detected unpacking (changes PE section rights) 2->55 57 Detected unpacking (overwrites its own PE header) 2->57 59 8 other signatures 2->59 6 Tlhsest.exe 14 2->6         started        10 Tlhsest.exe 13 2->10         started        12 Q-20E122269-USD INQUIRY NO.201200019_DOC                                             .EXE 1 16 2->12         started        process3 dnsIp4 61 Multi AV Scanner detection for dropped file 6->61 63 Detected unpacking (changes PE section rights) 6->63 65 Detected unpacking (overwrites its own PE header) 6->65 69 2 other signatures 6->69 15 Tlhsest.exe 14 6 6->15         started        25 162.159.130.233, 443, 49738 CLOUDFLARENETUS United States 10->25 67 Injects a PE file into a foreign processes 10->67 19 Tlhsest.exe 10->19         started        27 cdn.discordapp.com 162.159.129.233, 443, 49730, 49736 CLOUDFLARENETUS United States 12->27 29 discord.com 162.159.135.232, 443, 49729, 49735 CLOUDFLARENETUS United States 12->29 23 C:\Users\user\AppData\Local\...\Tlhsest.exe, PE32 12->23 dropped 21 Q-20E122269-USD INQUIRY NO.201200019_DOC                                             .EXE 15 6 12->21         started        file5 signatures6 process7 dnsIp8 31 54.235.142.93, 443, 49769 AMAZON-AESUS United States 15->31 39 2 other IPs or domains 15->39 33 192.168.2.1 unknown unknown 19->33 41 2 other IPs or domains 19->41 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->45 47 Tries to steal Mail credentials (via file access) 19->47 49 Tries to harvest and steal ftp login credentials 19->49 51 Tries to harvest and steal browser information (history, passwords, etc) 19->51 35 api.telegram.org 149.154.167.220, 443, 49768, 49771 TELEGRAMRU United Kingdom 21->35 37 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.169.28, 443, 49767, 49770 AMAZON-AESUS United States 21->37 43 2 other IPs or domains 21->43 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-14 13:52:35 UTC
File Type:
PE (Exe)
Extracted files:
99
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gw3h4hehksd5luhrlmb2d7jxz7qts3it75duidxx6gcaf4nxcmpa._file
Verdict:
malicious
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
ModiLoader
2d247ddbe562ab9d09de813690eab0dc59ae57f5e6ffae2e95b9828d13dccd14
ModiLoader
31c185ceec1decd13b09c736f42313c1c1e7e2bed23f7bda2938bbae7e2550cd
ModiLoader
3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
ModiLoader
6d8dbdf39f97cc1b6730d7eb7b2ac7f60ac2026e5ac33edb00093f1a87cfcf9a
ModiLoader
bbea95593bba6fe7032bf18a19c6f401927632ab6083e0bf6f224fb99fc7ece1
ModiLoader
bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86
ModiLoader
cf1e8f2fc2dd05514be3e8f92abf5b266dfb1547cc611dabc0cc4eea5a1b7dfe
ModiLoader
d6dcf42227c7121a1dae639d8c22a5474e016605e0300909db70665b580ab8ed
ModiLoader
fcb0efa3aa2fadbf33aa05b84a71129308f89fc0a2faa9cdf561b941aa321e87
ModiLoader
+ 728 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201214-h74nv6nxgn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e
MD5 hash:
303f5856e66652b97110410d985f124a
SHA1 hash:
26a55ab918e9ab0f085a4412f4b908a1354b0b94
Link:
https://www.unpac.me/results/049aa8aa-a397-47f8-ae9a-fdaa8f56ad03/
SH256 hash:
fd71f6ffd10f982900129789b98c3a124f8fda157e6cd74a8082ef3f21813dc2
MD5 hash:
a2622f1601adf0151d930fa4e4fd0ae5
SHA1 hash:
faa4ee90e622543ff3a4eeb99dc7ac82e81552c3
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/049aa8aa-a397-47f8-ae9a-fdaa8f56ad03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img b2a922e5e5a0a6b87c1d52f6dca6db12fa48246cf0e46d26106a88e5b5d5b475

ModiLoader

Executable exe 35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b2a922e5e5a0a6b87c1d52f6dca6db12fa48246cf0e46d26106a88e5b5d5b475
Cape
Cape
https://www.capesandbox.com/analysis/107972/

Comments