MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b9ece9761c68e4a604443f7541a1de74282f19a49f347a56a9ea4f02855f866. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b9ece9761c68e4a604443f7541a1de74282f19a49f347a56a9ea4f02855f866
SHA3-384 hash: 5f19e9fba891634a234ef1495bd12f22a1129ec0e1cc9b2aa62e78efd4ac658522893fe789493f53563250818e32be28
SHA1 hash: 259433649a0268353667696d1c748b60242fc01e
MD5 hash: 67a6323ccb5c3b7aefadcf6df7f36b5d
humanhash: zulu-ceiling-whiskey-fifteen
File name:proforma invoice.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:863'232 bytes
First seen:2020-09-22 05:22:44 UTC
Last seen:2020-09-22 06:06:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 439993b730493c2b4079e5e7b242d080 (1 x ModiLoader)
ssdeep 12288:JDx2BnDygN0If7KvbFK7bNN91zc+o1Qb1qgPUxPHB5Ps9YOl8EgF3:Jgughf7KzFMdWEqgPUr5Psii
TLSH 86059D22F6E35C73E1222A39CD3B57785C26BE313E24AC4736E12D687F796417927182
Reporter GovCERT_CH
Tags:ModiLoader

Intelligence

File Origin
# of uploads :
4
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64287/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/472006
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 288438 Sample: proforma invoice.exe Startdate: 22/09/2020 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 8 other signatures 2->58 6 proforma invoice.exe 1 15 2->6         started        11 Jcgdnet.exe 14 2->11         started        13 Jcgdnet.exe 13 2->13         started        process3 dnsIp4 34 cdn.discordapp.com 162.159.133.233, 443, 49715 CLOUDFLARENETUS United States 6->34 32 C:\Users\user\AppData\Local\Jcgdnet.exe, PE32 6->32 dropped 60 Writes to foreign memory regions 6->60 62 Allocates memory in foreign processes 6->62 64 Injects a PE file into a foreign processes 6->64 15 ieinstal.exe 61 6->15         started        36 162.159.130.233, 443, 49728 CLOUDFLARENETUS United States 11->36 66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 20 ieinstal.exe 12 11->20         started        38 162.159.129.233, 443, 49733 CLOUDFLARENETUS United States 13->38 40 192.168.2.1 unknown unknown 13->40 22 ieinstal.exe 12 13->22         started        file5 signatures6 process7 dnsIp8 42 37.49.225.188, 49716, 49720, 49735 SQUITTER-NETWORKSNL Estonia 15->42 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->24 dropped 26 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 15->26 dropped 28 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 15->28 dropped 30 45 other files (none is malicious) 15->30 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->44 46 Tries to steal Instant Messenger accounts or passwords 15->46 48 Tries to steal Mail credentials (via file access) 15->48 50 3 other signatures 15->50 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b9ece9761c68e4a604443f7541a1de74282f19a49f347a56a9ea4f02855f866/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-09-22 05:19:51 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lopm5f3by2heuyceip3vigq545bif4m2jhzupjlkt2spakcv7bta._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
trojan infostealer family:azorult spyware persistence family:modiloader
Link:
https://tria.ge/reports/200922-ft82jdj8q2/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader First Stage
ModiLoader Second Stage
Azorult
ModiLoader, DBatLoader
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b9ece9761c68e4a604443f7541a1de74282f19a49f347a56a9ea4f02855f866

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 60d4eed190019c380053e2934059d757d2394953b77c9f1d4955e1864d4ebfa4

ModiLoader

Executable exe 5b9ece9761c68e4a604443f7541a1de74282f19a49f347a56a9ea4f02855f866

(this sample)

  
Dropped by
MD5 89103b1be521c65edc060ef2c2bb6269
  
Dropped by
SHA256 60d4eed190019c380053e2934059d757d2394953b77c9f1d4955e1864d4ebfa4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/64287/

Comments