MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4
SHA3-384 hash: 3d72782e3cb37bc63b037a281a85bfe1b9fdb869d6a47b37e3ee97779a0f60952c9d40a25ce060036788c98fa8e684e3
SHA1 hash: 0471d597fa6d6d4bec3b39f21551e80847e47e3d
MD5 hash: 52abe055fdf8884ec7a9fbf1d761cd54
humanhash: five-oranges-juliet-november
File name:Bmxcixs_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'236'824 bytes
First seen:2020-10-08 05:30:00 UTC
Last seen:2020-10-08 07:17:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 624fe783ce1fbfc247a3c0409d1b1239 (6 x ModiLoader)
ssdeep 12288:DpP5SyQ9wblP2AB469py931hFrPRDfI4xZLx7kX8Tp0vx7yUD8+O:DpR26vZy93NpTjxjkMTp0g
Threatray 281 similar samples on MalwareBazaar
TLSH 33456D12B291CC36D1E22A749C4BC6B89926BE407D27A9473BE43F0DBF787513439297
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: tidesmedical.info
Sending IP: 192.119.95.28
From: "Hung Nhan Garment Co.LTD.," <contact@tidesmedical.info>
Subject: RE: Urgent Request For New Shipment//INV/PL/TEHK00945332
Attachment: Bmxcixs_Signed_.gz (contains "Bmxcixs_Signed_.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69071/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484933
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294908 Sample: Bmxcixs_Signed_.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 5 other signatures 2->54 6 Bmxcixs_Signed_.exe 1 15 2->6         started        11 Bmxcnek.exe 13 2->11         started        13 Bmxcnek.exe 13 2->13         started        process3 dnsIp4 28 cdn.discordapp.com 162.159.135.233, 443, 49729, 49758 CLOUDFLARENETUS United States 6->28 30 discord.com 162.159.136.232, 443, 49727, 49728 CLOUDFLARENETUS United States 6->30 32 192.168.2.1 unknown unknown 6->32 26 C:\Users\user\AppData\Local\...\Bmxcnek.exe, PE32 6->26 dropped 56 Writes to foreign memory regions 6->56 58 Allocates memory in foreign processes 6->58 60 Injects a PE file into a foreign processes 6->60 15 ieinstal.exe 55 6->15         started        34 162.159.129.233, 443, 49782 CLOUDFLARENETUS United States 11->34 36 162.159.137.232, 443, 49779, 49780 CLOUDFLARENETUS United States 11->36 20 ieinstal.exe 11->20         started        22 ieinstal.exe 13->22         started        file5 signatures6 process7 dnsIp8 38 future--seafood.com 193.106.175.47, 49739, 49741, 49744 IQHOSTRU Russian Federation 15->38 24 C:\Users\user\AppData\Roaming\...\B52B3F.exe, PE32 15->24 dropped 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->40 42 Tries to steal Mail credentials (via file access) 15->42 44 Tries to harvest and steal ftp login credentials 15->44 46 Tries to harvest and steal browser information (history, passwords, etc) 15->46 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4/
Threat name:
Win32.Trojan.RemcosCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 05:31:10 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfthd6hbx4mkon6sv24ahhwkalj5cezabxszwluzm7l57wn357sa._file
Verdict:
malicious
Similar samples:
00a59bd4f68fa1f661435296736f595c1e20968ce22c21afc2f56099cbb2a600
ModiLoader
08ec57340fc3d816f9df88c2c09bb584175a597e0f59171d2efcd640a90c343c
ModiLoader
1767a9206deb4dbba96ab368f45b43e4603af97e631940bbd1947e70b932f0af
ModiLoader
2dc919f5d220f45c43cf0de4399d30313ff6566b79e4f367e279a0bb71429b84
ModiLoader
3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d
ModiLoader
4b183077cbfa209aab597f0cfe66178add15a0d590ba3abdf170ae708617bfef
ModiLoader
73be7382d0c307a958973954111725315843e7d089c29fe826a5bc892332381d
ModiLoader
791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4
ModiLoader
8f3b6a725b06abd223aa214244ba4756cba52419dd116506744c386133a805fe
ModiLoader
bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed
ModiLoader
+ 271 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
trojan family:modiloader spyware stealer family:lokibot persistence
Link:
https://tria.ge/reports/201008-l8pj55y11n/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://future--seafood.com/kaka/kaka3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4
MD5 hash:
52abe055fdf8884ec7a9fbf1d761cd54
SHA1 hash:
0471d597fa6d6d4bec3b39f21551e80847e47e3d
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/bca6d42d-717a-4ae5-9da3-7549b536bcd6/
SH256 hash:
3e7dd49ff0792b8c39c06723bd9105a0126a54fc8d76e5252f3c5ee3f49bb584
MD5 hash:
f085c4b4763c2a5321f28e4f6c759de0
SHA1 hash:
0cde93d3984faf2fdfbab0891b15aa04482d279a
Detections:
win_dbatloader_g0
Create hunting rule
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/bca6d42d-717a-4ae5-9da3-7549b536bcd6/
Parent samples :
496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4
c1e9a93d4333300e178c7ea651b23149aa206c96f4c985e02e65406d813764ea
91622a9d48459e615ea429ef8b03411ce90df650cedd5c451436ee36123593a9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 3b10f3c1d3d58f5ec259d4baa6d1e2544efced7895cea0e2b56b068547cbacf7

ModiLoader

Executable exe 496671f8e1bf18a737d2aeb8039eca02d3d113200de59b2e9967d7dfd9bbefe4

(this sample)

  
Dropped by
MD5 82b635dc1534834c4557b6ce3765f829
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3b10f3c1d3d58f5ec259d4baa6d1e2544efced7895cea0e2b56b068547cbacf7
Cape
Cape
https://www.capesandbox.com/analysis/69071/

Comments