MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52fe1131c196f9b05130872ebe9a2eca93eaa6fab493f3ad5f06770184ddf227. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52fe1131c196f9b05130872ebe9a2eca93eaa6fab493f3ad5f06770184ddf227
SHA3-384 hash: aa0e46756091597581cea41cc2dddf95f6cddc42f4917ca0d1301c3ec9578b548a06ea1609bfca1f5efa7157b2d47712
SHA1 hash: aec27f5d602bed5a769e386f85116d8b0d163ef9
MD5 hash: a92898a52f0a9fd16a17b52dfc2fa506
humanhash: montana-arizona-helium-oklahoma
File name:HSBC-098223.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:951'808 bytes
First seen:2020-10-26 14:18:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 911ad15eafc60c6c5da31e0ed83b95b8 (7 x ModiLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep 12288:oVCTeZF541To2ztd5/IEAHqDPD3PDQnA/g07SVllXweV+8YZqckawUNlY7RzjTOp:oVCCa1Rzt0EAHqf36EFAblujYYue
Threatray 560 similar samples on MalwareBazaar
TLSH CE159E1172A18837D5731B7A995F67B89E25FF042E2069473BFC688C4F76290387A2D3
Reporter abuse_ch
Tags:exe HSBC ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: h22.megalink.com
Sending IP: 200.75.160.22
From: SEB Bank <account@ptssyndicate.com>
Subject: Inkommande betalningsavisering
Attachment: HSBC-098223.iso (contains "HSBC-098223.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79169/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511753
Signature
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain checking for user administrative privileges
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 304995 Sample: Bank Pekao.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 38 efiigbo9.duckdns.org 2->38 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected AveMaria stealer 2->54 56 7 other signatures 2->56 9 Bank Pekao.exe 1 15 2->9         started        14 Ufezdrv.exe 14 2->14         started        16 Ufezdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 42 discord.com 162.159.128.233, 443, 49708, 49726 CLOUDFLARENETUS United States 9->42 44 cdn.discordapp.com 162.159.135.233, 443, 49709 CLOUDFLARENETUS United States 9->44 36 C:\Users\user\AppData\Local\...\Ufezdrv.exe, PE32 9->36 dropped 62 Writes to foreign memory regions 9->62 64 Creates a thread in another existing process (thread injection) 9->64 66 Injects a PE file into a foreign processes 9->66 18 ieinstal.exe 3 2 9->18         started        22 notepad.exe 4 9->22         started        46 162.159.129.233, 443, 49728, 49733 CLOUDFLARENETUS United States 14->46 48 192.168.2.1 unknown unknown 14->48 68 Multi AV Scanner detection for dropped file 14->68 24 ieinstal.exe 1 14->24         started        26 ieinstal.exe 1 16->26         started        file6 signatures7 process8 dnsIp9 40 efiigbo9.duckdns.org 185.140.53.130, 49725, 49727, 49731 DAVID_CRAIGGG Sweden 18->40 58 Increases the number of concurrent connection per server for Internet Explorer 18->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->60 28 cmd.exe 1 22->28         started        30 cmd.exe 1 22->30         started        signatures10 process11 process12 32 conhost.exe 28->32         started        34 conhost.exe 30->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52fe1131c196f9b05130872ebe9a2eca93eaa6fab493f3ad5f06770184ddf227/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 07:48:57 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kl7bcmobs343aujqq4xl5grozkj6vjx2wsj7hlk7az3qdbg56itq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
ModiLoader
210907c63a822466ef533403076830467ea49fd5fad67af25528ab558eeb9415
ModiLoader
3f6c0a695ed2c971594738b378b21b3bb936d424e4516216f34b4dff8aa063dc
ModiLoader
455ea8ac576f3d44ecb310e3068e3ff759c8d6bc43344a1ad11ea5762b85d201
ModiLoader
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
ModiLoader
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
ModiLoader
82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b
ModiLoader
d0bac6ada2cd0b49ac66bdaa4265e6cb61df1a4339f50cc7b7bdaade9029337e
ModiLoader
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
ModiLoader
f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc
ModiLoader
+ 550 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat infostealer family:warzonerat persistence trojan family:modiloader
Link:
https://tria.ge/reports/201026-7wgragagv2/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MALWARE_Win_DLAgent03
Create hunting rule
Author:ditekSHen
Description:Detects known Delphi downloader agent downloading second stage payload, notably from discord

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso c48ee021d368f1f9d102d7b29c44682ac08baaf6bfe75228d3713f2d6eba5481

ModiLoader

Executable exe 52fe1131c196f9b05130872ebe9a2eca93eaa6fab493f3ad5f06770184ddf227

(this sample)

  
Dropped by
MD5 3600af9c2111cdbb05e3335e33da43ca
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c48ee021d368f1f9d102d7b29c44682ac08baaf6bfe75228d3713f2d6eba5481
Cape
Cape
https://www.capesandbox.com/analysis/79169/

Comments