MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf
SHA3-384 hash: 888fdbe2efb317507af65b805f130f0c0e6261a495cdf89a735d261d8ca254336cc6e77d781ae1c24b299860050c4013
SHA1 hash: d00b20bfaf832d479cdfc23168de03c3e8209468
MD5 hash: 3c92d4e743bd7d72ea967445fee5cdf8
humanhash: kilo-four-washington-angel
File name:3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'683'928 bytes
First seen:2020-11-21 20:53:23 UTC
Last seen:2020-11-25 08:00:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:4qhLbEUclfDSca3J6eVAs4d2CE41/1Gyon2UsrN8:4SmDS5J6L25M/1Gpn2dJ8
Threatray 76 similar samples on MalwareBazaar
TLSH 8C75D012BAE85481E91CA4729856C6700370DC717AD1B56F27CAB73F88B7793281F92F
Reporter JAMESWT_WT
Tags:ModiLoader signed Smart Line Logistics

Code Signing Certificate

Organisation:DigiCert High Assurance EV Root CA
Issuer:DigiCert High Assurance EV Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 02AC5C266A0B409B8F0B79F2AE462577
Intelligence: 204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
87 / 100
Link:
https://www.joesandbox.com/analysis/544645
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321420 Sample: p6oVIChBiU Startdate: 21/11/2020 Architecture: WINDOWS Score: 87 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Antivirus detection for dropped file 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 9 other signatures 2->38 6 p6oVIChBiU.exe 1 6 2->6         started        10 langApp.exe 3 2->10         started        12 langApp.exe 2 2->12         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\langApp.exe, PE32 6->24 dropped 26 C:\Users\user\...\langApp.exe:Zone.Identifier, ASCII 6->26 dropped 28 C:\Users\user\AppData\...\p6oVIChBiU.exe.log, ASCII 6->28 dropped 40 Injects a PE file into a foreign processes 6->40 14 p6oVIChBiU.exe 6->14         started        18 p6oVIChBiU.exe 6->18         started        20 langApp.exe 10->20         started        22 langApp.exe 12->22         started        signatures5 process6 dnsIp7 30 217.8.117.204, 41053, 49759, 49760 CREXFEXPEX-RUSSIARU Russian Federation 14->30 42 Tries to harvest and steal browser information (history, passwords, etc) 14->42 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf/
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 16:47:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
51
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03097e2591496756b735b464c936a05829b9d4b4e484829cae974beed56c6257
ModiLoader
0eca210fbcf2f5451b6106fdb10889908d7e2dc2e0eadb6ff345ed75149d17ff
ModiLoader
265c93af05ea076407228de4cdfecc5e4052273610d35021afd1d0e72c81bb92
ModiLoader
2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68
ModiLoader
723080f3083b8428248cead3d4c3ad20883395e1d574f853bca15065d2217fad
ModiLoader
7826e058402d9d6fc6d3225479039c0f03a505622d80fd03c4bd4a7985d4c062
ModiLoader
a01cd6294d3b5bdf73771b113493d8a5c2df3f105db7d084b0729345a32a4453
ModiLoader
b8ddba51be188310218fd595f1053023789453dcc894b1a9a61d1d0494dee15d
ModiLoader
cb8cf6b203f27f3b42020653f940d2be826893d079035eac52d4d64e1102aa29
ModiLoader
e874283490ec44e6cad0729867ee2441d0eb80d76b615455babebc7f5d4ec452
ModiLoader
+ 66 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader bootkit persistence spyware trojan
Link:
https://tria.ge/reports/201121-rkr8khz95j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Reads user/profile data of web browsers
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf
MD5 hash:
3c92d4e743bd7d72ea967445fee5cdf8
SHA1 hash:
d00b20bfaf832d479cdfc23168de03c3e8209468
Link:
https://www.unpac.me/results/2ea57b44-84d7-4e0c-89bf-c94a2529b730/
SH256 hash:
a3ec4aa32d153c4aa14675454d34de767c40efd387e39d5d5dd49a316cbe129c
MD5 hash:
7375f8bb02966ed2a2097f32dfbf9024
SHA1 hash:
285711ad127a541df6db6158d5145373a4d44a52
Link:
https://www.unpac.me/results/2ea57b44-84d7-4e0c-89bf-c94a2529b730/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/2ea57b44-84d7-4e0c-89bf-c94a2529b730/
SH256 hash:
c543ade42797aa07115d7b71bed2dcb1fc88d3c5e66a7cf441bbc7944fd73ac0
MD5 hash:
47dd7301ffba8f7fce4e9bc5247775af
SHA1 hash:
b3c01af8ae54b4b6d8022c444448b9a863606fe8
Link:
https://www.unpac.me/results/2ea57b44-84d7-4e0c-89bf-c94a2529b730/
SH256 hash:
21f440661f8acbca37155f9a134ad6a78b1aa2abd5c7255f98814ec8fc8a47fa
MD5 hash:
b3ef8f8e1ab0a9c60c1b76628da9949d
SHA1 hash:
d0ea2fdc7b46f69c35a710d63e4992e8f65aa8b4
Link:
https://www.unpac.me/results/2ea57b44-84d7-4e0c-89bf-c94a2529b730/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
WanaCrypt0r
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1330249483045785604?s=20
Cape
Cape
https://www.capesandbox.com/analysis/105202/

Comments