MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
SHA3-384 hash: dc3ec57e51bf2cf2d6c8cedeb5e23bb8580d81514a55a49da043f2db9a44d11c774681c46c7e5e31312ad72558257f38
SHA1 hash: 4b3949bfa4008a271c0cff83eb0dde4252b72bc5
MD5 hash: 7b03e335a63326fc0a65385c9c1799dd
humanhash: beer-item-dakota-vegan
File name:7b03e335a63326fc0a65385c9c1799dd.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:824'832 bytes
First seen:2022-01-24 07:00:13 UTC
Last seen:2022-01-24 09:10:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 383956ea18282127e324bfe49359b41a (1 x ModiLoader)
ssdeep 24576:pF7e/6olMnlSlNOW8a0NN2Wj6PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPG:pFcldu7T2lg
Threatray 8 similar samples on MalwareBazaar
TLSH T18E057B62F281C437D5730A748C1B93E99C3DBE102E98B84E6AE89D0DDE392533525D9F
File icon (PE):PE icon
dhash icon e4f0d0d0f0d4d4e8 (9 x Formbook, 4 x RemcosRAT, 2 x ModiLoader)
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221827/
Detection(s):
SecuriteInfo.com.Variant.Zusy.412829.4470.32549.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Creating a file in the %temp% directory
Launching a process
Launching the process to change network settings
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger remote.exe
Link:
https://www.filescan.io/uploads/61ee4eb00f8c757253e0efc5/reports/09ad96ea-80f2-4f7d-814d-e2e2c731b8a2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bcc760b-c064-4e9a-8b75-cacadcb08ffa
Result
Threat name:
Vulturi Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926074
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: Koadic Execution
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Yara detected Vulturi Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558549 Sample: yJjYXA8bsB.exe Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 80 Sigma detected: Capture Wi-Fi password 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected Vulturi Stealer 2->84 86 3 other signatures 2->86 8 yJjYXA8bsB.exe 1 17 2->8         started        13 Qvelokhugo.exe 13 2->13         started        15 Qvelokhugo.exe 13 2->15         started        process3 dnsIp4 70 heliumcanada.com 76.74.235.220, 49727, 49728, 49756 COGECO-PEER1CA Canada 8->70 72 www.heliumcanada.com 8->72 58 C:\Users\user\Contacts\Qvelokhugo.exe, PE32 8->58 dropped 60 C:\Users\...\Qvelokhugo.exe:Zone.Identifier, ASCII 8->60 dropped 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->96 98 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 8->98 100 Tries to harvest and steal WLAN passwords 8->100 17 yJjYXA8bsB.exe 15 4 8->17         started        74 www.heliumcanada.com 13->74 102 Multi AV Scanner detection for dropped file 13->102 104 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 13->104 106 Injects a PE file into a foreign processes 13->106 22 Qvelokhugo.exe 13->22         started        76 www.heliumcanada.com 15->76 24 Qvelokhugo.exe 15->24         started        file5 signatures6 process7 dnsIp8 62 195.123.227.26, 49749, 49766, 49775 ITL-BG Bulgaria 17->62 64 192.168.2.1 unknown unknown 17->64 66 9.96.11.0.in-addr.arpa 17->66 56 C:\Users\user\AppData\...\yJjYXA8bsB.exe.log, ASCII 17->56 dropped 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->88 90 Tries to steal Mail credentials (via file / registry access) 17->90 92 Tries to harvest and steal WLAN passwords 17->92 26 cmd.exe 1 17->26         started        29 cmd.exe 1 17->29         started        31 cmd.exe 17->31         started        68 9.96.11.0.in-addr.arpa 22->68 94 Tries to harvest and steal browser information (history, passwords, etc) 22->94 33 cmd.exe 22->33         started        35 cmd.exe 22->35         started        file9 signatures10 process11 signatures12 108 Uses ping.exe to check the status of other devices and networks 26->108 110 Uses netsh to modify the Windows network and firewall settings 26->110 112 Tries to harvest and steal WLAN passwords 26->112 37 netsh.exe 3 26->37         started        39 conhost.exe 26->39         started        41 chcp.com 1 26->41         started        43 netsh.exe 3 29->43         started        48 3 other processes 29->48 45 PING.EXE 31->45         started        50 2 other processes 31->50 52 2 other processes 33->52 54 3 other processes 35->54 process13 dnsIp14 78 127.0.0.1 unknown unknown 45->78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 06:05:04 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmrdefqluwmfrqis23olejjhahg3lqpdrmqw7mcgxujxddbhc3ha._file
Verdict:
malicious
Similar samples:
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
ModiLoader
70d04c9ec5f8c5f8a5c1cd82ad19eee2ddd26145848bc2ffe90d1b51645cac2e
ModiLoader
949d2f6be4bccae3cc1418958e581d50e111b431254f6bbf48f057facadf9603
ModiLoader
c4a2d749d46cd39aa170e4bde65679d72937c3f2b53d925588f62fcd7b71993e
ModiLoader
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
ModiLoader
f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
ModiLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/220124-hs782adfcm/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a
MD5 hash:
322f2da5c29542aaecc9ee17e1fe7f00
SHA1 hash:
734c432e2595d53c82ee28604f909d3390018dd8
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/878d71bc-47b8-4075-8184-0c81fe1dbf1b/
Parent samples :
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20
SH256 hash:
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
MD5 hash:
7b03e335a63326fc0a65385c9c1799dd
SHA1 hash:
4b3949bfa4008a271c0cff83eb0dde4252b72bc5
Link:
https://www.unpac.me/results/878d71bc-47b8-4075-8184-0c81fe1dbf1b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1972343/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/221827/

Comments