MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7
SHA3-384 hash: c4b7f5fd3de1cc04076841bf9751b8434b0fa5e9133b68bfd156e2aac9331e80f0cbe80f23c0584d0b0968c466b08b8b
SHA1 hash: 18a87991e98013678713cf231f37787ab0c87512
MD5 hash: b305d95fa833495eca1fa9ab824a25e0
humanhash: network-foxtrot-lithium-artist
File name:b305d95fa833495eca1fa9ab824a25e0.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:5'414'306 bytes
First seen:2021-03-22 20:13:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 08fd62a9d05cc8111782017958ea975d (2 x ModiLoader, 1 x AkiraStealer, 1 x RedLineStealer)
ssdeep 98304:+Q4zR7LLNnsg+mWXBcBFR9pZJTsPZRM7F5s+PfIZfgn1PYmjiHeomT:YBLpZeGBFR9jcZRUFe+YtgnpYh+TT
Threatray 63 similar samples on MalwareBazaar
TLSH 05463317327144F2D977E57C8965990AFA72B022871AC3EF2A7187B70E432F8BC69315
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b305d95fa833495eca1fa9ab824a25e0.exe
Verdict:
No threats detected
Analysis date:
2021-03-22 20:23:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/399d6e4a-6522-42a0-baff-994f150917a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126277/
Detection(s):
PUA.Win.File.Generic-7557964-0
Create hunting rule

PUA.Win.File.Zegost-9629018-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Sending a UDP request
Creating a process from a recently created file
Deleting a recently created file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/648660
Signature
Allocates memory in foreign processes
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Certutil Command
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373292 Sample: 3MWIYkDesa.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 96 50 Multi AV Scanner detection for submitted file 2->50 52 Sigma detected: Suspicious Certutil Command 2->52 10 3MWIYkDesa.exe 14 2->10         started        process3 process4 12 cmd.exe 1 10->12         started        14 cmd.exe 1 10->14         started        signatures5 17 cmd.exe 1 12->17         started        20 conhost.exe 12->20         started        70 Uses ping.exe to sleep 14->70 72 Uses ping.exe to check the status of other devices and networks 14->72 22 conhost.exe 14->22         started        process6 signatures7 48 Uses ping.exe to sleep 17->48 24 dowbuxaafml.com 17->24         started        27 certutil.exe 3 2 17->27         started        30 PING.EXE 1 17->30         started        33 3 other processes 17->33 process8 dnsIp9 66 Contains functionality to inject code into remote processes 24->66 35 dowbuxaafml.com 24->35         started        42 C:\Users\user\AppData\...\dowbuxaafml.com, PE32 27->42 dropped 68 Drops PE files with a suspicious file extension 27->68 46 127.0.0.1 unknown unknown 30->46 file10 signatures11 process12 signatures13 54 Writes to foreign memory regions 35->54 56 Allocates memory in foreign processes 35->56 58 Injects a PE file into a foreign processes 35->58 38 notepad.exe 35->38         started        process14 dnsIp15 44 80.82.77.221, 49719, 49726, 49731 INT-NETWORKSC Netherlands 38->44 60 System process connects to network (likely due to code injection or exploit) 38->60 62 Contains functionality to infect the boot sector 38->62 64 Tries to harvest and steal browser information (history, passwords, etc) 38->64 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7/
Threat name:
Win64.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 20:14:17 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvy3xyzk3cbi2pwwn6younjaqymbhebzdovqsybjr6wwec3b53tq._file
Verdict:
unknown
Similar samples:
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
ModiLoader
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
ModiLoader
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
ModiLoader
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
ModiLoader
872c552974708cea64df67fd5ae841611ff951f8c8d5230e611cec5f062bfa1f
ModiLoader
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
ModiLoader
a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c
ModiLoader
b2a25a9f27131c62b7d78cd92136392c36b1c0323084627382c80b1d639bc3ae
ModiLoader
bb73a38d0a3977b6a7e548f33ff5bd687ea19f9230bb822bb3b9669b71d34879
ModiLoader
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
ModiLoader
+ 53 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader bootkit persistence trojan
Link:
https://tria.ge/reports/210322-ms5tamgfws/
Behaviour
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Executes dropped EXE
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7
MD5 hash:
b305d95fa833495eca1fa9ab824a25e0
SHA1 hash:
18a87991e98013678713cf231f37787ab0c87512
Link:
https://www.unpac.me/results/328813ea-898f-40a9-90ee-3965e44c3a54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 4d71bbe32ad8828d3ed66fb0ea352086181390391bab0960298fad620b61eee7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1068778/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/126277/

Comments