MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b
SHA3-384 hash:	9604db6a916afce7eaa281c18d74d0fc23e41e2bb89ad634a6dc9df193ed38cdb2f84303e08130c857b26439df1a6a03
SHA1 hash:	c09ab6301b41dbc56a13055bd2f1c4a6449ead1f
MD5 hash:	2b8f56aded46aa04a89c3a7266a305c4
humanhash:	hot-michigan-four-rugby
File name:	Transferencia,pdf.scr
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	904'192 bytes
First seen:	2021-01-12 18:08:16 UTC
Last seen:	2021-01-12 19:49:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	64358d6f08cc1315b22d09caf06d11de (3 x ModiLoader, 1 x Formbook, 1 x Loki)
ssdeep	12288:8xo8KOEfGe3aw42Tv9aW3G2jj7oLj2xmhAQhjJRKwmvCRqlZVpiiiiiOvp:8aFuIb4oH0DRjJRgCclZ7iiiiiM
Threatray	253 similar samples on MalwareBazaar
TLSH	7B155A36B6907576F27106358C0BD270CD29AF33291B366A1AEAB9CF5D303C5E817972
Reporter	abuse_ch
Tags:	ModiLoader scr

abuse_ch

Malspam distributing unidentified malware:

HELO: box0.jmxtrades.xyz
Sending IP: 206.189.208.236
From: PAGOS <contabilidad@jmxtrades.xyz>
Subject: Re: DEVOLUCIÓN DE PAGO TT (Ref 0180066743)
Attachment: Transferencia,pdf.001 (contains "Transferencia,pdf.scr")

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Transferencia,pdf.scr

Verdict:

Malicious activity

Analysis date:

2021-01-12 18:56:39 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a40923c0-6d05-49b3-bf0b-b54540356492

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/111592/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/579337

Signature

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2021-01-12 14:41:52 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pkhox5xk3jbmlru55guhvgbmlvlfj5ubz26qotmsjblkl2sukf5q._file

Verdict:

malicious

ModiLoader

1a6005150f2c8552de4e87d9d3fba389e0c0ba003c5ba6ea2f6d68c91aa6db1d

ModiLoader

4e95bcf9cf3ddc47f0ac38cf8657a7e4e136e6204dff183aa302263280cf9c48

ModiLoader

668c31c58c0816f31b863d088cb88ff43f7c69aeae0e21734f96dd9a5992a872

ModiLoader

720e61fb0432f8b6beb2c3c16f78d96de2868e2549b8fb73f4fe43afe9f2960b

ModiLoader

a4fb793dd11e5ed81d42933185343398edfc35894313d64eca38e672f2d95419

ModiLoader

bc4bab61ab8b90451441bacba2edad8c1acd2a93c0318f4f4aa303627c4e7e3a

ModiLoader

c901b6665268a9f5eeaa9e29c8fe5b9fbacbdce09be63191fc137ce573898fe7

ModiLoader

d74a4cdc37bedadf721932a6118039ab332781ccbb8f00d9c763da4602ef6fda

ModiLoader

df049efbfa7ac0b76c8daff5d792c550c7a7a24f6e9e887d01a01013c9caa763

ModiLoader

+ 243 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader spyware

Link:

https://tria.ge/reports/210112-vc51ytdq9n/

Behaviour

Modifies system certificate store

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Drops desktop.ini file(s)

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b

MD5 hash:

2b8f56aded46aa04a89c3a7266a305c4

SHA1 hash:

c09ab6301b41dbc56a13055bd2f1c4a6449ead1f

Link:

https://www.unpac.me/results/71bbd049-f0c0-4b45-b251-2d2cffd70ee9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar 507756c82815da06aac13081368a1833bbdcc752b852e7d5caa1080d84c7eb66

ModiLoader

exe 7a8eebf6eada42c5c69de9a87a982c5d5654f681cebd074d924856a5ea54517b

(this sample)

Dropped by

MD5 d3f37f5a203bd0460e8b8584a8eb5d19

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 507756c82815da06aac13081368a1833bbdcc752b852e7d5caa1080d84c7eb66

Cape

https://www.capesandbox.com/analysis/111592/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample