MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3
SHA3-384 hash: 5db59ec2b8cc0632d2e18d485869138f406b484227f408737fe4f1988e62fdcc8f62f8530851b8ea525d21d646556717
SHA1 hash: 777d44687641b48837cc46604166c995aab338ea
MD5 hash: 863a5de839dc654688f60fcf7169a393
humanhash: california-kansas-east-bulldog
File name:Scan_SOA Updated June 2020--06-29-reconciled_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:814'849 bytes
First seen:2020-07-30 07:11:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28121b56cd03905523efa8ccdf3ce04d (3 x ModiLoader)
ssdeep 12288:g6rg301OuI2D0ibdVu8XF2NZh9IDr2duNR6wN42SSy1aeUV7D/1h8G1j:gAE2gibWI2NZgDrHX5SbaeUVH1hf
Threatray 649 similar samples on MalwareBazaar
TLSH EA05AE62E69C4437C1632978CE1B56B96836BE533E289C473BF88D9C4F7934078262D7
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: macnelsindia.com
Sending IP: 185.222.58.149
From: "Accounts Gowtham" <accountsmaa@macnelsindia.com>
Subject: RE: MAC-NELS & MACOLINE SOA - Reconcilled.
Attachment: Scan_SOA Updated June 2020--06-29-reconciled_.r00 (contains "Scan_SOA Updated June 2020--06-29-reconciled_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35328/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Setting a single autorun event
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403232
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Svchost Process
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253844 Sample: Scan_SOA Updated June 2020-... Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 64 g.msn.com 2->64 74 Malicious sample detected (through community Yara rule) 2->74 76 Yara detected AveMaria stealer 2->76 78 Contains functionality to hide user accounts 2->78 80 6 other signatures 2->80 9 Scan_SOA Updated June 2020--06-29-reconciled_.exe 1 16 2->9         started        14 Daxdsec.exe 14 2->14         started        16 Daxdsec.exe 13 2->16         started        signatures3 process4 dnsIp5 68 cdn.discordapp.com 162.159.129.233, 443, 49733, 49748 CLOUDFLARENETUS United States 9->68 62 C:\Users\user\AppData\Local\Daxdsec.exe, PE32 9->62 dropped 88 Writes to foreign memory regions 9->88 90 Allocates memory in foreign processes 9->90 92 Creates a thread in another existing process (thread injection) 9->92 18 ieinstal.exe 3 2 9->18         started        22 notepad.exe 4 9->22         started        24 svchost.exe 1 9->24         started        70 162.159.135.233, 443, 49746 CLOUDFLARENETUS United States 14->70 94 Machine Learning detection for dropped file 14->94 96 Injects a PE file into a foreign processes 14->96 26 notepad.exe 14->26         started        28 ieinstal.exe 14->28         started        72 192.168.2.1 unknown unknown 16->72 30 notepad.exe 16->30         started        32 ieinstal.exe 16->32         started        file6 signatures7 process8 dnsIp9 66 story43.ddns.net 84.38.135.151, 3670, 49742 DATACLUBLV Latvia 18->66 82 Tries to steal Mail credentials (via file access) 18->82 84 Increases the number of concurrent connection per server for Internet Explorer 18->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->86 34 cmd.exe 1 22->34         started        36 cmd.exe 1 22->36         started        38 cmd.exe 26->38         started        40 cmd.exe 26->40         started        42 cmd.exe 30->42         started        44 cmd.exe 30->44         started        signatures10 process11 process12 46 conhost.exe 34->46         started        48 reg.exe 1 1 34->48         started        50 conhost.exe 36->50         started        52 conhost.exe 38->52         started        54 conhost.exe 40->54         started        56 conhost.exe 42->56         started        58 reg.exe 42->58         started        60 conhost.exe 44->60         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 05:19:09 UTC
AV detection:
39 of 48 (81.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdl3fkypwu6tov3mf3ovaiy4zaxipugaz3ufv7o2yjd4w6krmtbq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
07c550d81a89943f6d836816d7ab56678cecba4450ec4de144e53e913302b1a9
ModiLoader
4fa4af45c70295513c486589c0e36e7436be6abbf3c75e97b544db959e9dfcb5
ModiLoader
51966d322a39d2b7c08c85a58e19b558ab678862385be75ab90e69b84fde583f
ModiLoader
57f4246d683336ab606ba5831ce88a0ff47a42de652f72795fe76169195821e1
ModiLoader
7ff8f569a151047f25f2f858e562e4b5b54d9af822105780f6c8a91ec4740124
ModiLoader
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
ModiLoader
9d71c01a2e63e041ca58886eba792d3fc0c0064198d225f2f0e2e70c6222365c
ModiLoader
b2ebc0f8c302a04961b8c2ed0673384050e5932a370be062788b7630bf188123
ModiLoader
b44646b530b067dadca8a6b31582efa9b9738c068a209af3b1bb4d403bd574fc
ModiLoader
fd5a7b200d38d962d9dc74639994bb1ecf989ecc189a5c2d06bc5196120f4ea5
ModiLoader
+ 639 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200730-6np3xxczjx/
Behaviour
Suspicious use of WriteProcessMemory
Modifies system certificate store
Modifies system certificate store
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

r00 059dcad869c172a7286853ea954f24ac7695c41ba3b6fc28fd5d034ba0a3dddd

ModiLoader

Executable exe 60d7b2ab0fb53d37576c2edd50231cc82e87d0c0cee85afddac247cb795164c3

(this sample)

  
Dropped by
MD5 df1ba8b0136b02954e863a20b4cc22b3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35328/
  
Dropped by
SHA256 059dcad869c172a7286853ea954f24ac7695c41ba3b6fc28fd5d034ba0a3dddd

Comments