MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128
SHA3-384 hash:	3a6b80b9702dd34dab23ac3a74bdeabdbb51d53aa66fc405b3597b0c8da451dc4342bc4ac50db71fbf9604cc2535e22a
SHA1 hash:	e531536d6d5bbda967bdd80a9396824526e33fc1
MD5 hash:	7f3e057e3be4e692d646596f16db2668
humanhash:	skylark-california-vermont-five
File name:	Hngvotwwxqrrqpozdzjwcpzajkixghmqfz.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	705'024 bytes
First seen:	2022-04-12 07:05:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5d5050040f4c4e416770aa091e077eff (5 x FormBook, 2 x DBatLoader, 2 x RemcosRAT)
ssdeep	12288:hCUTK74suoEON+SvvkDnzg545S3JsDh21Zec4qO:wkKHuoE+/vI0icJsk1b
Threatray	7'988 similar samples on MalwareBazaar
TLSH	T11AE49E52B2B18E33D93F1A3D4C07979868337E136E1892972ED06E4C7F7A141297E1A7
File icon (PE):
dhash icon	0c321272b98ca6d9 (12 x Formbook, 7 x RemcosRAT, 5 x DBatLoader)
Reporter	lowmal3
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

netwire

ID:

File name:

Hngvotwwxqrrqpozdzjwcpzajkixghmqfz.exe

Verdict:

Malicious activity

Analysis date:

2022-04-13 05:37:55 UTC

Tags:

netwire trojan rat

Link:

https://app.any.run/tasks/30d723de-33b6-4c9f-862f-b270e97178ce

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/262885/

Detection(s):

SecuriteInfo.com.Variant.Babar.33578.17781.23267.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching the process to interact with network services

Launching a process

Using the Windows Management Instrumentation requests

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13541/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe keylogger packed

Link:

https://www.filescan.io/uploads/625524db482f2f41ca9e2700/reports/3d9663b6-a316-4514-a14c-9bdc21fc1bd7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

NetWire RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fbdeca5c-be98-4cab-8849-1587cbf6e2d1

Result

Threat name:

DBatLoader NetWire

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/975122

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Program Location with Network Connections

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected NetWire RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128/

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2022-04-12 07:06:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=njjkz5o6cormjvx2sj3sp64grw3ns4rayxvyg7fda7izyc346eua._file

Verdict:

malicious

Label(s):

netwirerc

ModiLoader

48d05f98dc0e107ca09492b3f4e3728464d8c844870057c0aabc728f0043b2f7

ModiLoader

4fc5c83ab8d45e9b46bc1ab2a20e653d868e57f357b7f5b4ba433706594bc2ca

ModiLoader

53e50cd638abfb79fd2e29d0b2c39305c937852b1c314b06358b37d73bd31e98

ModiLoader

b324d1babd989b4a671dff38634d8eaba21673730315b40f2005b28c4732a5b6

ModiLoader

c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f

ModiLoader

dfc8f0a7456a2b40908d901c2468d372bd859abda04e50ef4cf45ec84668cdcb

ModiLoader

ea43c71d7ec447e2483c7f0c8488972648209f2b487f2e6e64227d3d729c1d88

ModiLoader

fb8a339c0426e7443a8a557a8db6745d4510abe1086a0ecad45493bbcab97fca

ModiLoader

+ 7'978 additional samples on MalwareBazaar

Result

Malware family:

netwire

Score:

10/10

Tags:

family:modiloader family:netwire botnet persistence rat stealer trojan

Link:

https://tria.ge/reports/220412-hw3gysbdg9/

Behaviour

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Adds Run key to start application

ModiLoader, DBatLoader

NetWire RAT payload

Netwire

Unpacked files

SH256 hash:

4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b

MD5 hash:

f125d9101ccc3b42b5a847f8182b85e5

SHA1 hash:

c2f18fe8876110488df97d0818e0dd3cb89b0105

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/7fb3582c-4e52-4b60-a139-8c22c1c68c79/

Parent samples :

3e25c1a249031c7ec06d4d6ad15a9dcd9f6cf0a72053663ebdd7a31eafb59c35
710c03f2e039d3bde583d2fa87faa58d17cbe6655a31b1e4e7890bf9687952c5
3bdc8a2cdae7fb2ab12ead1f0ced298aefb6cdcd9d35e88295a71192e193d481
805d05e4bc4ea60742052443cb9e2a4b3527aee8f311862ed37ec98559884555
571776f9f0168eb83034055ce51c1c72d1dcc6cb10445ac4de70104f97a170ff
2bc652d367cd94c0eb550959e49567754d73f8eb19a485cc229ffe4caab5605d
afb058fdd8aa200fe754289c9b48d8876f4bbd7cbcefc964742d76c32a990340
7ac202314f674281f31bad6e38a61c4bdd54c07f14b6dfd260d0665b8f2d0fa5
4690e84717b8b884bec65eddf700c6c99cfd19ebacbeadd766f9c3088c291112
03632b99b5401681e8dacf45710bfce9919f840843b836bad53c3113dacb097e
7cb6095dfefda254e0f96c3613cddcbcff7ce50b57a78e7f369d846d222eef49
82fc93baeea70f5e1c60ea976212b5cd2a33402ede66cd0efb059eaa5fae8150
b931f34008a112398ad48f0bd4e2e955dd7385bcc5cafd41cdb2220f26bddc44
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
687b7b359a5cac51eeb2d8bd04b147bdca3af96f148c2e560b3aff235d48e6b0
bea87dfd8f3d79c5948163bb57da34a9c86b798817c9e5b9c8f169175b3f2a33
27309bb8844a4d48af2527787b781fdac2917d6f75f870743428a3e7aa44fc1a
fcc249e21fb278d56fcc3758f3b5f3730420688791b2195255ae8e6cc4bc5334
a421a1405a23a9e8e3807cee8c264a3068171e19f01f3d00e318a1757024db18
ee0e3ef0d4e024fee83ad9744a0c2fda54ea009c099144d7f3f5972b0e3c7c4d
4f921407dc157cd3ec27cf0bfb6bba1e1b5463076526378fa65e8121288a774b
70784bb09d094929ecd5666ae8d5ee613c7dbee18a21b009595f0b19777f5ec5
3f402617d9bbe740d49a4c0e0b17e4c704a11f04ad5c708a08c5a6988e7c181f
c122639d652908b10751cb546a1c48e753427aa4d74f6a638fcb6c829b65e12f
5a66917ff5fd5809f0c83a8240aeb983799f54916c0f45d2f1af61de5b7741f1
ac749d4dc15be0711d85256e946a41958427a7468dc3e15f0069d3691364c45a
c130e105a03b4d144a63a8be13f6c84aa4bb01df2a566756e022e79bec487c20
6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128
9ef6b1868ca09cf927398496746dc5c1e73980fe7e3c1ffe4f45004a1f11d16b
75b7d30e6f26fbb3fbac284ed75356cc874e73365764130209d4937d80a6c80d
08c0273e2bd04a047d150303d4cd05076c2d2877afa82543ce43fc8296d86a7c
dcccbb97201914164dc8bed003f14daadfa300a6206b7ce835f6c7ee8b686405
3e755ebc4b3e451616df6473cf0f804e3c0d79e06e4f7bd54f94544848961f12
d228e18c458c31492267b3167e1bde3b8702de493ea612d0ecf400835f490982
6097ee7a7f386804b11c435db24b34c3e54bb26b4cb4569c6c8c06f471513c73
c97ea7770bdc793b6e4f5ecdd0ab4454b51475faebb2368f338f620b353a0db1
6db572b2a372da55a29c00656ffdc03d279b01a57eaf854f58441847d3915ebc
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
26b24f28b0173c020071085d65b260207d5856a8a93c1c1acce7d5cca5e8835f
101159b2df3d82639b34a56f1b72524504492b91c80543689484a6e4ead0848c
a51e73ec5bca72dcebd78f128e76fa4bcb942ee0509d9c549e721806301a3e13
5be80161a65053eed5a2e9f84fd3c28eed3b40df540614ac86b56f6c5a3a5233
c27f65a625e611d0d29febe606a4e48421b30085f1536fe18fa8d41e665ccced
240970ef6292a02db1cd7c6fec1aa55036b11a20a3bed21318a056f9063e5088

SH256 hash:

6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128

MD5 hash:

7f3e057e3be4e692d646596f16db2668

SHA1 hash:

e531536d6d5bbda967bdd80a9396824526e33fc1

Link:

https://www.unpac.me/results/7fb3582c-4e52-4b60-a139-8c22c1c68c79/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6a52acf5de13/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

exe 6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/262885/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample