MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7826e058402d9d6fc6d3225479039c0f03a505622d80fd03c4bd4a7985d4c062. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	7826e058402d9d6fc6d3225479039c0f03a505622d80fd03c4bd4a7985d4c062
SHA3-384 hash:	4af258b42187d548fc0f6a993bcc0edaee79ed96eddb84c9f07690fa4c738970c2da571db43e7a809e78ffceb2956c0e
SHA1 hash:	a9020303cad4842900907d014a7733424d1cf4ab
MD5 hash:	93940f1ef9135cb6b55adf94a898c102
humanhash:	lima-mike-montana-river
File name:	Tramplink LLC
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	746'920 bytes
First seen:	2020-09-24 07:41:52 UTC
Last seen:	2020-11-01 10:13:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:TPh0++ri2B3EsvCD+jT5PtrWHtCTtJX1uUnIu+gNN4tE9fy1+hdcghy:TZ0RrikUsvCDi5VQsXlIvIqzN
Threatray	8 similar samples on MalwareBazaar
TLSH	0AF4BD0035A63F6AD6784BF80144B872C3B160A2726AD3947F9720FE56E5BD13EB9707
Reporter	JAMESWT_WT
Tags:	ModiLoader signed Tramplink LLC

Code Signing Certificate

Organisation:	Tramplink LLC
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Sep 18 00:00:00 2020 GMT
Valid to:	Sep 18 23:59:59 2021 GMT
Serial number:	5FB6BAE8834EDD8D3D58818EDC86D7D7
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	026868BBC22C6A37094851E0C6F372DA90A8776B01F024BADB03033706828088
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

3

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/65270/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.1589.31919.493.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/474062

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to infect the boot sector

Contains functionality to steal Chrome passwords or cookies

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7826e058402d9d6fc6d3225479039c0f03a505622d80fd03c4bd4a7985d4c062/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-09-22 13:39:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

15

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

01053beaa477c1cbf38cd7914244da9e75a22f59568056048fefde017503226e

099b24e1801dfdab9db3a4ccf2e57f187c119fd826b8645e6c494d3fda457721

af910e755d963e281b1d652fc3cbe38d71db63afdaf29043c5edd5b707aefc1e

b419388d90afae438580cfb282413b38b0aa9b219c61ec2291c4a76f2e696f39

cbef9f75a09b4a90f5fe320f79ffbf7255c884f6f9da7afa04e8410dc5271a21

d6e1a688daa6611f7ff1ebf6724c3ccdabc18b97b1f606ec7bc141d8b81e1082

e76dbde4aabc5707baa53641e9fca2eba239b0a6e9339e12627f2c767d435279

fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f

Result

Malware family:

modiloader

Score:

10/10

Tags:

trojan family:modiloader bootkit persistence

Link:

https://tria.ge/reports/200924-yhd73rl4kj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Writes to the Master Boot Record (MBR)

ModiLoader First Stage

ModiLoader, DBatLoader

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7826e058402d9d6fc6d3225479039c0f03a505622d80fd03c4bd4a7985d4c062

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/65270/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample