MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f6c0a695ed2c971594738b378b21b3bb936d424e4516216f34b4dff8aa063dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f6c0a695ed2c971594738b378b21b3bb936d424e4516216f34b4dff8aa063dc
SHA3-384 hash: efceb33ee77755e9e2ac4f714490bf7106b9ba8f04f0a8560638b7a6c62701931b5e3f8f46f7508a197b14939505e8cd
SHA1 hash: a76d8cd0376bab0098422394579ee8dca1d3916e
MD5 hash: 81863c0034547cc203cc63d833c9e7e5
humanhash: alpha-magazine-sad-november
File name:Albawardi Group Project offer description 678467463756382020.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:951'808 bytes
First seen:2020-10-26 14:19:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 911ad15eafc60c6c5da31e0ed83b95b8 (7 x ModiLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:oVCTeZF541To2ztd5/IEAHqDPD3PDQnA/g07SVllWweV+8YZqckawUNlY7RzjTOp:oVCCa1Rzt0EAHqf36EFAYlujYYue
Threatray 560 similar samples on MalwareBazaar
TLSH 3215AE21B7918836D1731B7A9D4B67B89E25FE102E2065473BFC688C5F76790383A2D3
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: h22.megalink.com
Sending IP: 200.75.160.22
From: Sayeed Almohtaseb <info@bidakis.com>
Subject: Re:Offer #SKTMC440 Albawardi Group
Attachment: Albawardi Group Project offer description 678467463756382020.iso (contains "Albawardi Group Project offer description 678467463756382020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79172/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Connection attempt
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511969
Signature
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305145 Sample: Albawardi Group Project off... Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AveMaria stealer 2->52 54 5 other signatures 2->54 8 Albawardi Group Project offer description 678467463756382020.exe 1 15 2->8         started        13 Ufezdrv.exe 13 2->13         started        15 Ufezdrv.exe 13 2->15         started        process3 dnsIp4 42 cdn.discordapp.com 162.159.130.233, 443, 49739, 49768 CLOUDFLARENETUS United States 8->42 44 discord.com 162.159.137.232, 443, 49738, 49775 CLOUDFLARENETUS United States 8->44 38 C:\Users\user\AppData\Local\...\Ufezdrv.exe, PE32 8->38 dropped 60 Writes to foreign memory regions 8->60 62 Creates a thread in another existing process (thread injection) 8->62 64 Injects a PE file into a foreign processes 8->64 17 ieinstal.exe 3 2 8->17         started        21 notepad.exe 4 8->21         started        46 162.159.136.232, 443, 49767 CLOUDFLARENETUS United States 13->46 66 Multi AV Scanner detection for dropped file 13->66 24 ieinstal.exe 1 13->24         started        file5 signatures6 process7 dnsIp8 40 178.170.138.163, 4554 ETOP-ASPL Netherlands 17->40 56 Increases the number of concurrent connection per server for Internet Explorer 17->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->58 36 C:\Users\Public36atso.bat, ASCII 21->36 dropped 26 cmd.exe 1 21->26         started        28 cmd.exe 1 21->28         started        file9 signatures10 process11 process12 30 conhost.exe 26->30         started        32 reg.exe 1 1 26->32         started        34 conhost.exe 28->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f6c0a695ed2c971594738b378b21b3bb936d424e4516216f34b4dff8aa063dc/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 07:29:35 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5wau2k62lexcwkhhczxrmq3ho4tnvbe4riwefxtjng77cvampoa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
ModiLoader
210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415
ModiLoader
455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201
ModiLoader
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
ModiLoader
52fe1131c196f9b05130872ebe9a2eca93eaa6fab493f3ad5f06770184ddf227
ModiLoader
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
ModiLoader
82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b
ModiLoader
d0bac6ada2cd0b49ac66bdaa4265e6cb61df1a4339f50cc7b7bdaade9029337e
ModiLoader
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
ModiLoader
f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc
ModiLoader
+ 550 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
rat trojan family:modiloader infostealer family:warzonerat persistence
Link:
https://tria.ge/reports/201026-d8nntcnj7e/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f6c0a695ed2c971594738b378b21b3bb936d424e4516216f34b4dff8aa063dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 6ab7e0b5f3918a455e9f0da684850596f30cf702cda0f6ce533b8d008d6980a8

ModiLoader

Executable exe 3f6c0a695ed2c971594738b378b21b3bb936d424e4516216f34b4dff8aa063dc

(this sample)

  
Dropped by
MD5 383bc13f923b0515087547dc84225dbb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6ab7e0b5f3918a455e9f0da684850596f30cf702cda0f6ce533b8d008d6980a8
Cape
Cape
https://www.capesandbox.com/analysis/79172/

Comments