MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 395520b9d85c41c45e94973f4a02a36950b1233e060186670028d6cbf4c79c07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 395520b9d85c41c45e94973f4a02a36950b1233e060186670028d6cbf4c79c07
SHA3-384 hash: 3b6b85047adbd235074f99b19d683cc92099a8d19afd5ee4bd21a7ffb8b83b59cbcf6737fba3ea246e7134c29ae6317b
SHA1 hash: ba5ced6b8612c5460715d1250671967882e7c14b
MD5 hash: b74ce302adad794236709c530fe98f85
humanhash: white-timing-bravo-nitrogen
File name:b74ce302adad794236709c530fe98f85.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'040'544 bytes
First seen:2020-11-01 07:21:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24967b969934deafb74b30f5c6d2aac5 (8 x ModiLoader, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:RonjUKefGncg9JvO3YgMz4kxTeDoemnEtC35OWk31uPtqYKmr3TmfOrvRkPt:RonbefGHVqYgcLetUhOWi1uFf3BrpC
Threatray 42 similar samples on MalwareBazaar
TLSH EB258D62A29244F6F253D6388C76567758F5BE3039386C462AE4ED087EFF2813C2DD52
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81605/
Detection(s):
PUA.Win.Malware.Installcore-6717809-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Fareit-FZOE94D1AC3C5BE.24044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ModiLoader Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/517642
Signature
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected ModiLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 307925 Sample: LJLMG5Syza.exe Startdate: 01/11/2020 Architecture: WINDOWS Score: 100 37 agentpapple.ac.ug 2->37 39 taenaia.ac.ug 2->39 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected ModiLoader 2->55 57 4 other signatures 2->57 9 LJLMG5Syza.exe 1 16 2->9         started        14 Hjkvdrv.exe 14 2->14         started        16 Hjkvdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 47 cdn.discordapp.com 162.159.133.233, 443, 49710, 49741 CLOUDFLARENETUS United States 9->47 49 discord.com 162.159.137.232, 443, 49709, 49740 CLOUDFLARENETUS United States 9->49 35 C:\Users\user\AppData\Local\...\Hjkvdrv.exe, PE32 9->35 dropped 59 Writes to foreign memory regions 9->59 61 Creates a thread in another existing process (thread injection) 9->61 63 Injects a PE file into a foreign processes 9->63 18 ieinstal.exe 1 9->18         started        21 notepad.exe 4 9->21         started        65 Multi AV Scanner detection for dropped file 14->65 23 ieinstal.exe 14->23         started        25 ieinstal.exe 16->25         started        file6 signatures7 process8 dnsIp9 41 agentpapple.ac.ug 18->41 43 taenaia.ac.ug 185.140.53.149, 49723, 49725, 49728 DAVID_CRAIGGG Sweden 18->43 45 192.168.2.1 unknown unknown 18->45 27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/395520b9d85c41c45e94973f4a02a36950b1233e060186670028d6cbf4c79c07/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 04:57:27 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfksbooylra4ixuus47uuavdnfilciz6ayaymzyafdlmx5ghtqdq._file
Verdict:
suspicious
Similar samples:
0357b2aed154c5d1c335723481cdb1fb13fe5ceb50cf9e35a5007469528e38d9
ModiLoader
06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d
ModiLoader
21dc2cd230d860e64a31419f2c208e9d6d0139fe5bbea4a26de782037d6f208d
ModiLoader
24af60cda9f71c743ac75a18552abe991aba2b5e8bb58b85fbbec669c44799b1
ModiLoader
359fa4b61a9a41f2362a8c09cc7b90067268786b47cf7ccc412c2d8d1bc77904
ModiLoader
4707d12ac7c445123243c1106f805600be99b1201ddd94e131c569d86b586bf2
ModiLoader
7262bffe13cb0313606a7f47e85404a201f3072c0f984ce0f3f6bdcc246cef0d
ModiLoader
9f425eb8fd149d006ba3d4902f80f24cc81c7e4215f66644b700da5b5a4edd03
ModiLoader
d5dc65df9d699ffab0563963fa22ed0a1d833d451dfbd1d724f2a5b988494538
ModiLoader
e0c3dfb8c7187ffcd1b2a520aad7d7bb69ddcac73578c2fe66f36822cf2faf16
ModiLoader
+ 32 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/201101-8alzzlnlka/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
210a77b077303258e395ef51cbd84d09b3b7fd5290ce6f3eac10e04f3beb8d56
MD5 hash:
09eeee28fa2b3e517e18098397fea458
SHA1 hash:
30f3026aee4b34d2bc589bdaed1d9f5fb963cb7d
Link:
https://www.unpac.me/results/6a6de2b2-f4a1-404a-94c6-ce55d41bdbbd/
SH256 hash:
395520b9d85c41c45e94973f4a02a36950b1233e060186670028d6cbf4c79c07
MD5 hash:
b74ce302adad794236709c530fe98f85
SHA1 hash:
ba5ced6b8612c5460715d1250671967882e7c14b
Link:
https://www.unpac.me/results/6a6de2b2-f4a1-404a-94c6-ce55d41bdbbd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/395520b9d85c41c45e94973f4a02a36950b1233e060186670028d6cbf4c79c07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 395520b9d85c41c45e94973f4a02a36950b1233e060186670028d6cbf4c79c07

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/748738/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/572754/
  
URLhaus
https://urlhaus.abuse.ch/url/447391/
  
URLhaus
https://urlhaus.abuse.ch/url/686530/
  
URLhaus
https://urlhaus.abuse.ch/url/572760/
Cape
Cape
https://www.capesandbox.com/analysis/81605/

Comments