MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89ca0ea25e05983099ae8221becde0d57c5528d85d6ab8fd944f7c941437d679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89ca0ea25e05983099ae8221becde0d57c5528d85d6ab8fd944f7c941437d679
SHA3-384 hash: 47dfdbac64ee13e35b791d7fa951596e5dd1d62a70cdaac7d04947af54364e124c7c209166b2a738c3d28136efe07b78
SHA1 hash: 6d7050466d883a70896610fd377409bec21385a5
MD5 hash: 319e34bf7ecf5c74e8c192be57093d96
humanhash: burger-spring-papa-salami
File name:INVOICE.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:626'328 bytes
First seen:2020-12-26 08:11:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3365f5f0a5c9d37739d88d8129eebf55 (3 x ModiLoader)
ssdeep 12288:B0O9si66PFSav1nfcja/P4Tulz6dOG6767a9SwiscMnw:B0a+6UOfCa/A/6767aP2V
Threatray 2'213 similar samples on MalwareBazaar
TLSH 7CD48F62B3D0897BD513EE78BC0BA3B098397D903D2964457AE619BC4F78350392F1A7
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: neurosurgery.or.kr
Sending IP: 118.128.190.141
From: Regina Lambertz (Financial Accounting) <kfn3@kfn.or.kr>
Subject: *URGENT* PAYMENT DETAILS 23/12/2020
Attachment: INVOICE.img (contains "INVOICE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
561
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dlmdbrp_Signed_.exe
Verdict:
Malicious activity
Analysis date:
2020-12-23 09:00:43 UTC
Tags:
trojan opendir lokibot stealer
Link:
https://app.any.run/tasks/5ec24987-32b0-40e5-9885-ff7de1ef7c4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109480/
Detection(s):
Win.Trojan.Generic-9816732-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

SecuriteInfo.com.Fareit-FZOA93AF1E2096C.23549.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570150
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89ca0ea25e05983099ae8221becde0d57c5528d85d6ab8fd944f7c941437d679/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 08:45:03 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhfa5is6awmdbgnoqiq35tpa2v6fkkgylvvlr7muj56jifbx2z4q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1
ModiLoader
3082c38383b9b75510e3fa868da957da7dca5ec5f36b97f563280511a9c33916
ModiLoader
4bc494204a6950d07cdbc7181b7b9588d037d7118e31fb41f0156c2b44423e34
ModiLoader
74fec3ab0741be490ea78a0e85543f56d84909d7e6c1a808fa3b1bb5b0cc2758
ModiLoader
9268128b42974626b6b527dfb489f6765a57bcaeeb31929cca3c1e8840c7a808
ModiLoader
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
ModiLoader
bf8dd5118e02955a5021f00c97b9877a16ac7af3f87699cf365307eb9c3f6351
ModiLoader
ceeffdff4b0af45c77f3923e47c03a529c87dd4e0e92fdc88b0551857df53239
ModiLoader
dab70b4af932eff3aeb93b40eb473647dc9242a84ac68435886cb40b32d3e010
ModiLoader
ee665ac6cacc0fec507227dedc2efaeebddab022b1cf553280a6733e08d7085d
ModiLoader
+ 2'203 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:modiloader spyware stealer trojan
Link:
https://tria.ge/reports/201226-e8nfxdm53n/
Behaviour
Modifies system certificate store
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
ModiLoader First Stage
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
https://deqtmaysoor.com/jah1/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
89ca0ea25e05983099ae8221becde0d57c5528d85d6ab8fd944f7c941437d679
MD5 hash:
319e34bf7ecf5c74e8c192be57093d96
SHA1 hash:
6d7050466d883a70896610fd377409bec21385a5
Link:
https://www.unpac.me/results/2b0d7975-9e30-46f7-af98-7109df2fe8b7/
SH256 hash:
b06a4efc54c88b3c247c357a33f21514ff0d73daf97e97123ea73c0b2f240ca7
MD5 hash:
8d8fa5c16a2acd19a360b59e07968f1c
SHA1 hash:
2dc5677e6a9701c9532cc6d443bd184d9cb1cbc9
Link:
https://www.unpac.me/results/2b0d7975-9e30-46f7-af98-7109df2fe8b7/
SH256 hash:
87dacc4715da9b9bb9bd77881af22c6ea353c95e97fc779fd0798ef2acf667e8
MD5 hash:
c48129cb756c33cff2b1d53c97e33b10
SHA1 hash:
a8827d97dde1662f1dff203ec4455573d9337ad6
Link:
https://www.unpac.me/results/2b0d7975-9e30-46f7-af98-7109df2fe8b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89ca0ea25e05983099ae8221becde0d57c5528d85d6ab8fd944f7c941437d679

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img b5c2bc0c565e352e7ba0e68c0ba788349de2a3bb0c4cb9c023e6d3c0cdb3ce18

ModiLoader

Executable exe 89ca0ea25e05983099ae8221becde0d57c5528d85d6ab8fd944f7c941437d679

(this sample)

  
Dropped by
MD5 eb79392ef87775def27c72112e394160
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b5c2bc0c565e352e7ba0e68c0ba788349de2a3bb0c4cb9c023e6d3c0cdb3ce18
Cape
Cape
https://www.capesandbox.com/analysis/109480/

Comments