MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6
SHA3-384 hash: 1145b63f6151c414dbca687abaa7408bae524261151b5621293d73aac8ba1b9917aaf7614141c885d93f7915c5d83a6b
SHA1 hash: 498c7fea6d943d9d57b2565462b52e7e557c0eb8
MD5 hash: 518708b4ee7d5a7bcff40500e7d0c922
humanhash: wyoming-seventeen-london-connecticut
File name:518708b4ee7d5a7bcff40500e7d0c922.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:743'104 bytes
First seen:2020-12-09 10:23:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 084ab79676b5b0cc1ffaebcdcfdd0387 (2 x ModiLoader, 1 x Formbook)
ssdeep 12288:ZYFnichEklZ6BuDkVHRN1azVxGfhL7XqZA4Iw7uiKcnq5fzWrvlZ7gT:GichjZ6UYVHRN+fwhqppwfsvv7i
Threatray 387 similar samples on MalwareBazaar
TLSH 04F49E32F3A14EBBD01B073DED1FD6E86C28BF102D9869467AED5D0C4E3A6867825057
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
518708b4ee7d5a7bcff40500e7d0c922.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-09 10:30:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3230ea2-c924-4b71-87f6-d9c6cdaa0fda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107413/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Jacard.206074.21298.9473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558983
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 23:27:33 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsrmhwhv7k633igmedeqv57qjmvat6jb47ubvermz35gunqaz2ta._file
Verdict:
malicious
Similar samples:
042ef647920e37e8da471c1bfbc36490ee6bf93ceee75cd90161823ae74d458b
ModiLoader
1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795
ModiLoader
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
ModiLoader
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
29cf2f87bd9503ddd65e08e9aab1e80bfef318873e649ca0db4e6b079f31b9a4
ModiLoader
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
ModiLoader
fcb0efa3aa2fadbf33aa05b84a71129308f89fc0a2faa9cdf561b941aa321e87
ModiLoader
+ 377 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201209-sm7jyacalx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6
MD5 hash:
518708b4ee7d5a7bcff40500e7d0c922
SHA1 hash:
498c7fea6d943d9d57b2565462b52e7e557c0eb8
Link:
https://www.unpac.me/results/72f75576-3e56-415f-8d33-ca24a8e948ff/
SH256 hash:
118e4551ac31bdc92e5a34c3069d5b2d8efe60ac58adc83bf2e5ee8a50b5a738
MD5 hash:
fea7f670d5ae5104140e571e68ce91c5
SHA1 hash:
e53bf1b051f2bd122b0781ef818447bcb2c09207
Link:
https://www.unpac.me/results/72f75576-3e56-415f-8d33-ca24a8e948ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/900682/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107413/

Comments