MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201
SHA3-384 hash: 904b7972dfd538a2e46e50db1b84c2a86e255a245ef55094c0d406182070b8c0953f86de214ab4b0033707080a9c4f43
SHA1 hash: ffd933aa91c3df0d39828d97073c87d4d1329b46
MD5 hash: 1193ae97938eaacfe41a5cbef6754670
humanhash: hot-vermont-tennis-idaho
File name:HSBC File.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'119'232 bytes
First seen:2020-10-23 09:32:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c69785fe9cbd1d77d7a9bfb5553fbd19 (4 x ModiLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:j8xnrNVGQcigXmng7X+XmYWGQO7lGcRvR+ec0X6Dm9tEx6/nlyweV+8YZqckawUS:eriQciDnQ9YWmRnfxyiwluk
Threatray 513 similar samples on MalwareBazaar
TLSH FE358D21A291CB37D0379AF54C16A77899E5BE00ED247C46F6BCEC485F75EC0782B292
Reporter abuse_ch
Tags:exe geo HSBC ModiLoader PRT


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: poczta.kia.pl
Sending IP: 80.72.33.102
From: Caixa Geral de Depósitos <account@ptssyndicate.com>
Subject: Notificação de transação recebida de pagamento
Attachment: HSBC File.iso (contains "HSBC File.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75008/
Detection(s):
SecuriteInfo.com.Fareit-FZO345F40C742FA.17750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507989
Signature
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303115 Sample: HSBC File.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AveMaria stealer 2->43 45 5 other signatures 2->45 6 HSBC File.exe 1 15 2->6         started        11 Xogldrv.exe 13 2->11         started        13 Xogldrv.exe 13 2->13         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.129.233, 443, 49715, 49732 CLOUDFLARENETUS United States 6->25 27 discord.com 162.159.138.232, 443, 49714, 49731 CLOUDFLARENETUS United States 6->27 23 C:\Users\user\AppData\Local\...\Xogldrv.exe, PE32 6->23 dropped 47 Writes to foreign memory regions 6->47 49 Injects a PE file into a foreign processes 6->49 15 ieinstal.exe 3 4 6->15         started        51 Multi AV Scanner detection for dropped file 11->51 19 ieinstal.exe 1 11->19         started        29 162.159.130.233, 443, 49737 CLOUDFLARENETUS United States 13->29 21 ieinstal.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 31 efiigbo9.duckdns.org 91.193.75.34, 49723, 8833 DAVID_CRAIGGG Serbia 15->31 33 Increases the number of concurrent connection per server for Internet Explorer 15->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->35 37 Installs a global keyboard hook 15->37 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 08:52:54 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivpkrlcxn46uj3ftcdrqndr765m4rvv4im2eugwrd2sxmk4f2iaq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
ModiLoader
411a64366a6b5b9e57bd06dcdccd377ea02d9ed7e8be0f290f0674e3d7ff3215
ModiLoader
4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a
ModiLoader
52e8ebb47ae631081c6ac0ab78219951e8c7ac540e11b420e92d5df89ea719d7
ModiLoader
6c483817d7c95cd3ac3be070d84f1647b938ad3341f7b4854924a77892507af8
ModiLoader
91292df65ea051a8cd7009382fb66c6b3fed39e8ddc3a27e38c990e2b69ea942
ModiLoader
a0792945510f126714a42e9b4cef8b7e8d7aab504772b076c6df0a4e96f08e89
ModiLoader
a5e7f494eb61368332811160955db5ef4dc5f07e6e3fbc7d5c0776023d3714c0
ModiLoader
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
ModiLoader
f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc
ModiLoader
+ 503 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan family:modiloader infostealer family:warzonerat
Link:
https://tria.ge/reports/201023-xtjch39xbe/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201
MD5 hash:
1193ae97938eaacfe41a5cbef6754670
SHA1 hash:
ffd933aa91c3df0d39828d97073c87d4d1329b46
Link:
https://www.unpac.me/results/6a8f274f-94d5-441d-9cb3-da57db8f8c5c/
SH256 hash:
10120ef1d49409334151771688466ca4764b9590db49769a8a9af664cc8d7e61
MD5 hash:
539eeb9c424345c1dbe61a8cd7c34fea
SHA1 hash:
f030d8a0cf5a5781085b2f6403723adf8cc73cef
Link:
https://www.unpac.me/results/6a8f274f-94d5-441d-9cb3-da57db8f8c5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso f636c35d057da438540d73890abc6a6d9070ccb69c72695136481bdde6f9f623

ModiLoader

Executable exe 455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201

(this sample)

  
Dropped by
MD5 96a455e786a3b3d0ca3f7624cdc66764
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75008/
  
Dropped by
SHA256 f636c35d057da438540d73890abc6a6d9070ccb69c72695136481bdde6f9f623

Comments