MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 977f77728f1783062f8c072096f0b7535ec74f686c3e40db5dc78766edabffeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 977f77728f1783062f8c072096f0b7535ec74f686c3e40db5dc78766edabffeb
SHA3-384 hash: c43e7de790a8ca2cc6f4403497a076b2a12cf103a8b88b7c180d2312537e808ef246a05559f756fe1a884baf23df801b
SHA1 hash: b4d96d69bd7c5f890bcf947570d6afb37a55829f
MD5 hash: 90f8e06ecc2e65ead5b980c2c05c80c2
humanhash: virginia-apart-lemon-cold
File name:Swift_28960_Ziraat_Bankasi_5A186F_IMG.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:13'946'061 bytes
First seen:2020-12-28 08:01:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b98caa61c34fcff9ec4c8f0dd186884b (1 x ModiLoader)
ssdeep 12288:CfLWNFPxOxLraMCrqfZW562wzVAoQKzijWHAfvi56LffGfb7:AynGraMCrV62mVAkz2vHLffGH
Threatray 262 similar samples on MalwareBazaar
TLSH 92E68DD26362553EC0764A348C1F9198DC65BE032994777E2AE93DCCAB3468035DFEB2
Reporter abuse_ch
Tags:exe geo ModiLoader TUR


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: smtp.redshift.com
Sending IP: 216.228.2.205
From: Mehmet | Ziraat Bankası <rsanchez@redshift.com>
Reply-To: Microsoft Outlook <adminupdates@opendoors.fun>
Subject: Fwd: Fwd[2]: 28,960 USD Swift Copy Bildirimi
Attachment: Swift_28960_Ziraat_Bankasi_5A186F_IMG.xz (contains "Swift_28960_Ziraat_Bankasi_5A186F_IMG.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
600
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift_28960_Ziraat_Bankasi_5A186F_IMG.exe
Verdict:
Malicious activity
Analysis date:
2020-12-28 08:08:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a7409832-d650-43f4-ab21-88f619a91f53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Fareit-FZO90F8E06ECC2E.26959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570597
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/977f77728f1783062f8c072096f0b7535ec74f686c3e40db5dc78766edabffeb/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 07:19:33 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s57xo4upc6bqml4ma4qjn4fxknpmot3inq7ebw25y6dwn3nl77vq._file
Verdict:
malicious
Similar samples:
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
ModiLoader
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
56f814347c8ec650f905e26cb30343d437b587d8f663ac6bbf4ae4ca483898e1
ModiLoader
7d957b25b466f6b1eca625ad56a3472a83b2efc825a5d056a7d11b1b74f17fa3
ModiLoader
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
ModiLoader
d8ab8eb6d9e9fdb54f5d72254eafb2732342f8883ee96749bb8615ca196963bb
ModiLoader
dbb953f1943fa6f07fcaad4f4469fc48a19dc1df34b2502ea8c7b789bedbfade
ModiLoader
+ 252 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201228-b437b3e5vs/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
977f77728f1783062f8c072096f0b7535ec74f686c3e40db5dc78766edabffeb
MD5 hash:
90f8e06ecc2e65ead5b980c2c05c80c2
SHA1 hash:
b4d96d69bd7c5f890bcf947570d6afb37a55829f
Link:
https://www.unpac.me/results/39ee9bce-2801-47f1-bcec-7ff07fb14be5/
SH256 hash:
f6368ca109585a523c072e714df2b8071958e66f1e6a4666690b1a5d7ab61a39
MD5 hash:
781588ca6ced778abecbf571fc7f8d5f
SHA1 hash:
fb40ed2af77e410e5e60dd0385f76e8d8fe12da0
Link:
https://www.unpac.me/results/39ee9bce-2801-47f1-bcec-7ff07fb14be5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/977f77728f1783062f8c072096f0b7535ec74f686c3e40db5dc78766edabffeb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

xz d3077f18629465f587395b724351cf2eddb90c1a9d67af5d6e146727f857f8d9

ModiLoader

Executable exe 977f77728f1783062f8c072096f0b7535ec74f686c3e40db5dc78766edabffeb

(this sample)

  
Dropped by
MD5 77850e916eeba346c6345ed04e3a8406
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d3077f18629465f587395b724351cf2eddb90c1a9d67af5d6e146727f857f8d9

Comments