MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4
SHA3-384 hash: 149f0402aef7f4a70ee43ec5cbf41f927ed00742cf2f6465c94b1f42cee9f9b744415e92053b6d88392454a36c9dbe48
SHA1 hash: 598d23302fe3e61d72c3a6a784aea426f0efd756
MD5 hash: cc3713d38a57b8c5adf96e6aa398357d
humanhash: berlin-oxygen-august-maine
File name:Zlwuvbm_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'236'824 bytes
First seen:2020-10-08 04:35:38 UTC
Last seen:2020-10-09 04:59:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 624fe783ce1fbfc247a3c0409d1b1239 (6 x ModiLoader)
ssdeep 12288:DpP5SyQ9wblP2AB469py931hFrPRDfI4xZLx7kX89p0vx7yUDs+O:DpR26vZy93NpTjxjkM9p0Q
Threatray 533 similar samples on MalwareBazaar
TLSH 3E456D12B291CC36C1E22A749C4FC6A8A926BE407D27A84736E43F4DBF797513439297
Reporter GovCERT_CH
Tags:ModiLoader

Intelligence

File Origin
# of uploads :
12
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69058/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484873
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294879 Sample: Zlwuvbm_Signed_.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Detected AZORult Info Stealer 2->60 62 4 other signatures 2->62 6 Zlwuvbm_Signed_.exe 1 15 2->6         started        11 Zlwunek.exe 13 2->11         started        13 Zlwunek.exe 13 2->13         started        process3 dnsIp4 34 discord.com 162.159.128.233, 443, 49740, 49741 CLOUDFLARENETUS United States 6->34 36 cdn.discordapp.com 162.159.130.233, 443, 49742 CLOUDFLARENETUS United States 6->36 32 C:\Users\user\AppData\Local\...\Zlwunek.exe, PE32 6->32 dropped 64 Writes to foreign memory regions 6->64 66 Allocates memory in foreign processes 6->66 68 Injects a PE file into a foreign processes 6->68 15 ieinstal.exe 63 6->15         started        38 162.159.134.233, 443, 49764 CLOUDFLARENETUS United States 11->38 40 162.159.138.232, 443, 49762, 49763 CLOUDFLARENETUS United States 11->40 20 ieinstal.exe 12 11->20         started        42 162.159.133.233, 443, 49761 CLOUDFLARENETUS United States 13->42 44 162.159.136.232, 443, 49759, 49760 CLOUDFLARENETUS United States 13->44 70 Multi AV Scanner detection for dropped file 13->70 22 ieinstal.exe 13->22         started        file5 signatures6 process7 dnsIp8 46 37.49.225.188, 49743, 49758, 49765 SQUITTER-NETWORKSNL Estonia 15->46 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->24 dropped 26 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 15->26 dropped 28 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 15->28 dropped 30 45 other files (none is malicious) 15->30 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Tries to steal Instant Messenger accounts or passwords 15->50 52 Tries to steal Mail credentials (via file access) 15->52 54 4 other signatures 15->54 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4/
Threat name:
Win32.Trojan.RemcosCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 04:37:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pejxdpdzu54blvlmtpf7ykzkx26tw7fqly7ldftoijoodcjocosa._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
00a59bd4f68fa1f661435296736f595c1e20968ce22c21afc2f56099cbb2a600
ModiLoader
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ModiLoader
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
ModiLoader
5b9ece9761c68e4a604443f7541a1de74282f19a49f347a56a9ea4f02855f866
ModiLoader
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
ModiLoader
8f3b6a725b06abd223aa214244ba4756cba52419dd116506744c386133a805fe
ModiLoader
b553eccde98f7d193d5518a765c8a22eb65dd5f29026c96045892c47525536de
ModiLoader
bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed
ModiLoader
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
ModiLoader
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
ModiLoader
+ 523 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader infostealer family:azorult
Link:
https://tria.ge/reports/201008-xj1rgxkv3s/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Azorult
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4
MD5 hash:
cc3713d38a57b8c5adf96e6aa398357d
SHA1 hash:
598d23302fe3e61d72c3a6a784aea426f0efd756
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/b315c9b3-7e1c-40db-aae5-e87b34b9dfa1/
SH256 hash:
a069cacc32e3fc49775b75d0226253185fe0fe8a8642b1a09ec31b21c776cbf8
MD5 hash:
4e6f464145a4df0c4b150ac1ad30f90d
SHA1 hash:
1877b7f9167cde8129e9ebe32d987de8e23602a3
Detections:
win_dbatloader_g0
Create hunting rule
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/b315c9b3-7e1c-40db-aae5-e87b34b9dfa1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip aac127abd6acac09a855ac5084a5dc9965179625b49b18f5fe597d269a1d9f17

ModiLoader

Executable exe 791371bc79a77815d56c9bcbfc2b2abebd3b7cb05e3eb1966e425ce1892e13a4

(this sample)

  
Dropped by
MD5 dc5b6b4c272411afc7ffa6dce7d28635
  
Dropped by
SHA256 aac127abd6acac09a855ac5084a5dc9965179625b49b18f5fe597d269a1d9f17
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69058/

Comments