MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b
SHA3-384 hash:	9570a560fcc1eb7f477e7700e7b9ff5117cbebf4d92e7891bd6687bf90ce8fdcc8561b6b96882752d87cc73696a7e79f
SHA1 hash:	4f2fc7fc4d7e0e3cd77f536037b24f4771279928
MD5 hash:	77e35a460055d2f7501f8e0ddbad020f
humanhash:	saturn-lithium-jupiter-monkey
File name:	PROFORMA Updt NR.119220_REV_3 Copies IMG_00002892.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'135'272 bytes
First seen:	2020-10-23 06:58:56 UTC
Last seen:	2020-10-23 14:49:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c69785fe9cbd1d77d7a9bfb5553fbd19 (4 x ModiLoader, 1 x NetWire, 1 x RemcosRAT)
ssdeep	12288:Y8xnrNVGQcigXmng7X+XmYWGQO7lGcRvR+ec0X6Dm9tEx6/nlzweV+8YZqckawUF:rriQciDnQ9YWmRnfxyizluk
Threatray	432 similar samples on MalwareBazaar
TLSH	BB358D61A291CB37D0379AF54C16A77859A5BF00DD247C86F6ACEC485F36EC0782B1A3
Reporter	abuse_ch
Tags:	exe ModiLoader

Code Signing Certificate

Organisation:	Microsoft Time-Stamp Service
Issuer:	Microsoft Time-Stamp PCA
Algorithm:	sha1WithRSAEncryption
Valid from:	Sep 7 17:58:56 2016 GMT
Valid to:	Sep 7 17:58:56 2018 GMT
Serial number:	33000000CCCBB813EB5D722D450000000000CC
Intelligence:	15 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	0C043752471269029D69B98BD42DFAD2656F1BCFDEC9A291039F4EF69B496C70
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Malspam distributing ModiLoader:

HELO: starmix.it
Sending IP: 185.222.57.249
From: Anna - Starmix <anna.poletto@starmix.it>
Subject: R: PROFORMA NR.1192/20_REV_3 _Corrected
Attachment: PROFORMA Updt NR.119220_REV_3 Copies IMG_00002892.r01 (contains "PROFORMA Updt NR.119220_REV_3 Copies IMG_00002892.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

87

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/74955/

Detection(s):

SecuriteInfo.com.Fareit-FZO77E35A460055.28770.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Deleting a recently created file

Reading critical registry keys

Creating a file in the %temp% directory

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Stealing user critical data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b/

Threat name:

Win32.Trojan.NetWired

Status:

Malicious

First seen:

2020-10-23 04:25:00 UTC

File Type:

PE (Exe)

Extracted files:

53

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qkyhbjbnkc4og62vcvb6aqmtgfapharrhcyjs76m2swze3pyda5q._file

Verdict:

malicious

Label(s):

avemaria

Similar samples:

0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72

411a64366a6b5b9e57bd06dcdccd377ea02d9ed7e8be0f290f0674e3d7ff3215

6c483817d7c95cd3ac3be070d84f1647b938ad3341f7b4854924a77892507af8

8546c35ea3d72e58b06dbcdb3d790fe9d39772ec986a2b89c406daab67efe79b

91292df65ea051a8cd7009382fb66c6b3fed39e8ddc3a27e38c990e2b69ea942

a0792945510f126714a42e9b4cef8b7e8d7aab504772b076c6df0a4e96f08e89

a5e7f494eb61368332811160955db5ef4dc5f07e6e3fbc7d5c0776023d3714c0

d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3

e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6

e6d6cda38ec798c76fb5727c7af199c496408484c68f3d7c0d34d6be09900ca0

+ 422 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

trojan family:modiloader persistence spyware rat infostealer family:warzonerat

Link:

https://tria.ge/reports/201023-tfaceff7ae/

Behaviour

Modifies system certificate store

Adds Run key to start application

JavaScript code in executable

Loads dropped DLL

Reads user/profile data of web browsers

ModiLoader First Stage

ModiLoader Second Stage

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b

MD5 hash:

77e35a460055d2f7501f8e0ddbad020f

SHA1 hash:

4f2fc7fc4d7e0e3cd77f536037b24f4771279928

Link:

https://www.unpac.me/results/e8b4c50f-9aa2-490e-b3cb-1ad6d24a3d31/

SH256 hash:

7979ae4a3cce3226df50398ad6b8134ee98c477a7ce5a18b730370b7bf831818

MD5 hash:

3a97b06e7ea20868295cdee73fb5bcc2

SHA1 hash:

05d1bb71572c833872ac4062dc8e9d509ed2d9e0

Link:

https://www.unpac.me/results/e8b4c50f-9aa2-490e-b3cb-1ad6d24a3d31/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r01 68690c3e7bb9fa657bb88632419dcbda0d1b9bdd92d92b8939b04c1b670c3046

exe 82b070a42d50b8e37b551543e041933140f3823138b0997fccd4ad926df8183b

(this sample)

Dropped by

MD5 3caa540edcd421e84607d04d26635492

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/74955/

Dropped by

SHA256 68690c3e7bb9fa657bb88632419dcbda0d1b9bdd92d92b8939b04c1b670c3046

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample