MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0
SHA3-384 hash: c8e269fc151082f9a6a9341c273921b1a548afb2e504cb6887ba3ad4422c1dd7b4729c52b02616db3a03839238e69111
SHA1 hash: a51a3fd810e590db92a14dc44ab477c5cbc9a43a
MD5 hash: 138cb27a71d15bc43984cd355b612dfa
humanhash: gee-yellow-bluebird-kitten
File name:PURCHASE_ORDER#648190121.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:725'504 bytes
First seen:2021-01-19 07:55:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5064414005440c05f6346292b90ee3f2 (7 x RemcosRAT, 3 x Loki, 2 x ModiLoader)
ssdeep 6144:XY9xV0Zof7rY2hfRzeLp7vI0Foas/ZvGmCIIQUbJYaVHjqgCXUFJn60lL06BZzJ8:mxVyof7rYaf81stsbFYooXiJ6N6BbUd
Threatray 504 similar samples on MalwareBazaar
TLSH E6F47D66A2E80773C12B297D5C27E661AD257D0D3D29584A3BD43C0C9F393B2382D5AF
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: regular1.263xmail.com
Sending IP: 211.150.70.195
From: Omega TCL-Purchase <zhangjb@liugong.com>
Subject: New order.
Attachment: PURCHASE_ORDER#648190121.rar (contains "PURCHASE_ORDER#648190121.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE_ORDER#648190121.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 08:05:34 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/16b8fde5-d3dc-42cd-81d0-496f6bc9e135

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112826/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Launching a process
BSOD occurred
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/584621
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-19 07:55:14 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qi5mpfoif4bvzbvxd5umrz365ippsfwhoubnpd6cbaot7vtazxqa._file
Verdict:
malicious
Similar samples:
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
ModiLoader
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
ModiLoader
3d2d9b8e5738024ffaa470410dfae954d73f049fdb2619be6864e399f3da6390
ModiLoader
46acd0d4a4fe7f2c6b54d380f1c0a5aa371f0afadf2373c5df40ed20d5b3f90c
ModiLoader
79c2240abb05bcad2847f6fe50ae69f6a3cbdeea82bdc659e75f85eb59f442f9
ModiLoader
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
ModiLoader
b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db
ModiLoader
bcd0816d97ffba1d11214540f3bf25344f835281fdd67edba638054527833222
ModiLoader
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
ModiLoader
e8406edde4743eec38d88fd58f2c79b11d09d76bcd57b757cdf5844ea5bd55e7
ModiLoader
+ 494 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210119-kz5bf1wars/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla
Unpacked files
SH256 hash:
823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0
MD5 hash:
138cb27a71d15bc43984cd355b612dfa
SHA1 hash:
a51a3fd810e590db92a14dc44ab477c5cbc9a43a
Link:
https://www.unpac.me/results/130a2a3c-d83a-4d22-85bb-3a0b7e1b0952/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar 6bf63b64f70f1995966be8e2af75994a477114b0968a115bb7a34c833bbe3d95

ModiLoader

Executable exe 823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0

(this sample)

  
Dropped by
MD5 5e723db75572a7037198147109629ace
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112826/
  
Dropped by
SHA256 6bf63b64f70f1995966be8e2af75994a477114b0968a115bb7a34c833bbe3d95

Comments