MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b1ae0657658c35d391652b847033a662145b2cc0fd653740577b987695d979b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b1ae0657658c35d391652b847033a662145b2cc0fd653740577b987695d979b
SHA3-384 hash: 985c804128eade2488053c130a38bebec63fad0abe8e2aeb451a9cf65d21af7f67bd739e7becf8efbef17f0b1677b0b0
SHA1 hash: 29a670fd0cf9176295adc4893f856995f7bf7c0d
MD5 hash: ae9e623f420f8a70c0d1e8e33c369a16
humanhash: one-texas-two-lactose
File name:Szfrvnj.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:965'120 bytes
First seen:2020-10-19 18:16:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 319a8e5d178320ae582e370f06f62e46 (7 x ModiLoader, 4 x RemcosRAT)
ssdeep 12288:lY2jsH0s30vuwlPMSGUzoPLLJ3SSsD8O1sMNn5IswLOQ:lzjm02wKazmLF6sU1A
Threatray 1'743 similar samples on MalwareBazaar
TLSH BA257D33B2924873D47329789D5B67A8BD3ABE002928B5463BF91C4C5F396413C7E297
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: jac0.lensing-promotion.com
Sending IP: 94.140.115.229
From: Nishan <services@g1economia.com>
Subject: Acknowldge TT Copy
Attachment: TT Copy_pdf.arj (contains "Szfrvnj.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73080/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Fareit-FZO47BEC7E4E109.19705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Moving of the original file
Unauthorized injection to a system process
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495891
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 300391 Sample: Szfrvnj.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 43 itrad3r.com 2->43 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 5 other signatures 2->59 9 Szfrvnj.exe 1 15 2->9         started        14 Szfrdrv.exe 13 2->14         started        16 Szfrdrv.exe 13 2->16         started        signatures3 process4 dnsIp5 47 cdn.discordapp.com 162.159.134.233, 443, 49718 CLOUDFLARENETUS United States 9->47 41 C:\Users\user\AppData\Local\...\Szfrdrv.exe, PE32 9->41 dropped 69 Detected unpacking (changes PE section rights) 9->69 71 Detected unpacking (overwrites its own PE header) 9->71 73 Tries to steal Mail credentials (via file registry) 9->73 81 3 other signatures 9->81 18 Szfrvnj.exe 54 9->18         started        22 notepad.exe 4 9->22         started        49 162.159.130.233, 443, 49741, 49760 CLOUDFLARENETUS United States 14->49 75 Multi AV Scanner detection for dropped file 14->75 77 Detected unpacking (creates a PE file in dynamic memory) 14->77 79 Injects a PE file into a foreign processes 14->79 25 Szfrdrv.exe 14->25         started        51 192.168.2.1 unknown unknown 16->51 27 Szfrdrv.exe 16->27         started        file6 signatures7 process8 dnsIp9 45 itrad3r.com 194.180.224.87, 49732, 49733, 49734 REBECCAHOSTUS unknown 18->45 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->61 63 Tries to steal Mail credentials (via file access) 18->63 65 Tries to harvest and steal ftp login credentials 18->65 67 Tries to harvest and steal browser information (history, passwords, etc) 18->67 39 C:\Users\Public39atso.bat, ASCII 22->39 dropped 29 cmd.exe 1 22->29         started        31 cmd.exe 1 22->31         started        file10 signatures11 process12 process13 33 conhost.exe 29->33         started        35 reg.exe 1 1 29->35         started        37 conhost.exe 31->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b1ae0657658c35d391652b847033a662145b2cc0fd653740577b987695d979b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 13:15:49 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmnoazlwldbv2oiwkk4eoaz2myqulmwmb7lfg5afo64yo2k5s6nq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
15a5acf7f504d480ae0925b9f4f9e18b7a75f371d3afd1d1bc59ed30abaca08b
ModiLoader
27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161
ModiLoader
37813d58ab76932f367b13b45f5069c4c9baf704b753fd5108539a6e725e8056
ModiLoader
44959082a4d86b4b782a2d860658e304025d34863398da161e39ba57a7e2c4fd
ModiLoader
5e2ff37b8f894bb49e33a7dbfa804ea5561cb8acc7cbf95ed4b56d230b8cd148
ModiLoader
855eaf42f771f65f72f7457ba7eb8e4f5ab99b7bc43fbb2fa1528820c2e01200
ModiLoader
a95c6a61523704d369aa61231c2c1ae80c1ce87911f519b4108a40306b2152ac
ModiLoader
bdf0628de7c3965db41f88705c2b900a19fc12499435fd77f6eabc172c397861
ModiLoader
d38c13a3092e9df1e541934564870c8a271148b1f90436ff86292d3c3ff21550
ModiLoader
d5a68a111c359a22965206e7ac7d602d92789dd1aa3f0e0c8d89412fc84e24a5
ModiLoader
+ 1'733 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader spyware stealer family:lokibot
Link:
https://tria.ge/reports/201019-9x37y14zwe/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
ModiLoader First Stage
ModiLoader Second Stage
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
https://itrad3r.com/ari/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
8b1ae0657658c35d391652b847033a662145b2cc0fd653740577b987695d979b
MD5 hash:
ae9e623f420f8a70c0d1e8e33c369a16
SHA1 hash:
29a670fd0cf9176295adc4893f856995f7bf7c0d
Link:
https://www.unpac.me/results/d4d8b2f0-540d-4122-9aae-8ef9bdaea2a1/
SH256 hash:
3102ef16c08de94869842de37d023d73e88db4d5b6fa71fe6c7c3804c69427a9
MD5 hash:
84e0839fc0283c675474c58134703394
SHA1 hash:
50a380f20c1dae3a009dbf2122dfa13880b99b22
Link:
https://www.unpac.me/results/d4d8b2f0-540d-4122-9aae-8ef9bdaea2a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b1ae0657658c35d391652b847033a662145b2cc0fd653740577b987695d979b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

arj 905d1b10089c967c17b49aa82b67ffea3c9040aad1668a0cec5a3e7a616564fd

ModiLoader

Executable exe 8b1ae0657658c35d391652b847033a662145b2cc0fd653740577b987695d979b

(this sample)

  
Dropped by
MD5 5e50a3c50960707b854c8d1c007a3ec1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73080/
  
Dropped by
SHA256 905d1b10089c967c17b49aa82b67ffea3c9040aad1668a0cec5a3e7a616564fd

Comments