MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
SHA3-384 hash: 6d1c2228fe3f1c467748ecc62da7ff24d22282993c3aaef5ba67460e17df1380f1cf52470db2a27b99c680a50c446c2e
SHA1 hash: 822f775c851bd0ba70f915b10709ca2edb22dd46
MD5 hash: f809ef2bcefca24535ad34d966b78bd0
humanhash: zulu-blossom-december-florida
File name:OKaxjorl_Signed_ -.pif
Download: download sample
Signature ModiLoader
Create hunting rule
File size:636'568 bytes
First seen:2020-10-12 14:48:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f8ce99d6ad75c2b34e5fbb6b24c4395 (15 x ModiLoader, 4 x Loki, 2 x AZORult)
ssdeep 12288:sOZlAvXBW34aSHxF5en1PwGP0eAMNzVn2Vd13jde/T:dlUM4aSHTUn1PQeLNzV2H1Q/T
Threatray 410 similar samples on MalwareBazaar
TLSH 44D4AFF3F2F14433C16726785C1B97BD682ABE132D28A9462AF51D4C6F39681393B193
Reporter abuse_ch
Tags:ModiLoader pif


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: host8.axxesslocal.co.za
Sending IP: 154.0.175.45
From: Kawthar Services & Total Industrial Supplies <info@kawthar.net>
Subject: Kawthar Services & Total Industrial Supplies- Order ID: OKAXJORI/10/12/2020
Attachment: OKaxjorl_Kawthar.img (contains "OKaxjorl_Signed_ -.pif")

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70129/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488583
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296747 Sample: OKaxjorl_Signed_ -.pif Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 49 Detected unpacking (changes PE section rights) 2->49 51 Detected unpacking (overwrites its own PE header) 2->51 53 Yara detected AgentTesla 2->53 55 4 other signatures 2->55 8 OKaxjorl_Signed_ -.exe 1 15 2->8         started        13 Kaxjdrv.exe 13 2->13         started        15 Kaxjdrv.exe 13 2->15         started        process3 dnsIp4 41 cdn.discordapp.com 162.159.129.233, 443, 49724, 49751 CLOUDFLARENETUS United States 8->41 43 discord.com 162.159.138.232, 443, 49722, 49723 CLOUDFLARENETUS United States 8->43 39 C:\Users\user\AppData\Local\...\Kaxjdrv.exe, PE32 8->39 dropped 59 Writes to foreign memory regions 8->59 61 Allocates memory in foreign processes 8->61 63 Creates a thread in another existing process (thread injection) 8->63 65 Injects a PE file into a foreign processes 8->65 17 OKaxjorl_Signed_ -.exe 2 8->17         started        21 notepad.exe 4 8->21         started        45 162.159.133.233, 443, 49747 CLOUDFLARENETUS United States 13->45 47 192.168.2.1 unknown unknown 13->47 67 Detected unpacking (changes PE section rights) 13->67 69 Detected unpacking (overwrites its own PE header) 13->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->73 23 Kaxjdrv.exe 2 13->23         started        file5 signatures6 process7 file8 35 C:\Windows\System32\drivers\etc\hosts, ASCII 17->35 dropped 57 Modifies the hosts file 17->57 37 C:\Users\Public37atso.bat, ASCII 21->37 dropped 25 cmd.exe 1 21->25         started        27 cmd.exe 1 21->27         started        signatures9 process10 process11 29 conhost.exe 25->29         started        31 reg.exe 1 1 25->31         started        33 conhost.exe 27->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 09:14:30 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdr4xkipq7wsg4zck4hodrubxgpk225lacdeabnjhnytu37ek5hq._file
Verdict:
malicious
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
ModiLoader
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
ModiLoader
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
ModiLoader
95aee7e64808e12f340834e6b49c3541c1e5e0b3a1ff1fcd7eb2591a83b619fb
ModiLoader
a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9
ModiLoader
fcb0efa3aa2fadbf33aa05b84a71129308f89fc0a2faa9cdf561b941aa321e87
ModiLoader
+ 400 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201012-hjqz8pnbmn/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
MD5 hash:
f809ef2bcefca24535ad34d966b78bd0
SHA1 hash:
822f775c851bd0ba70f915b10709ca2edb22dd46
Link:
https://www.unpac.me/results/4cd13e5e-9f68-4338-89c4-45ee3f9a1f98/
SH256 hash:
4a64b1c5f50fed3e568dac0bf9c842d95c2b6e9b6e920b5176a014f8e4f758a5
MD5 hash:
d46d5a6118e010f8a7c25002b7ba01c0
SHA1 hash:
3f697b4b3d8323dc29fc6e4b1e2ab683ff309de1
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/4cd13e5e-9f68-4338-89c4-45ee3f9a1f98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 3573eb2fa96610a18fcb5ae8157af66b5802aa268c66d022f358040c6079ba1b

ModiLoader

Executable exe 38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f

(this sample)

  
Dropped by
MD5 bdd5ddc25f4017dcdf218e0a59a311f9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70129/
  
Dropped by
SHA256 3573eb2fa96610a18fcb5ae8157af66b5802aa268c66d022f358040c6079ba1b

Comments