MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c
SHA3-384 hash: 6a52770bbee183071bf7a5d4474b4bc1113304f7c6560a2719d449641e8344defa8d795db082c7f015cdfd7bdd97f216
SHA1 hash: 94a3eccc392cb47d7bc6dd3bf8fd0bf103018e0f
MD5 hash: aed29e23f01dab295f973ee35bf42248
humanhash: happy-idaho-butter-failed
File name:aed29e23f01dab295f973ee35bf42248.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:6'461'760 bytes
First seen:2021-03-19 07:49:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 08fd62a9d05cc8111782017958ea975d (2 x ModiLoader, 1 x AkiraStealer, 1 x RedLineStealer)
ssdeep 196608:cg5gwBrrcVTBKJePVw1Q85pGgbIbThc/KIfr:cg5bBHUfY+gcThc/KM
Threatray 65 similar samples on MalwareBazaar
TLSH 7B56339AA9B550F5E46B41B88AF6D64BEF73B4438311E39B0071C3F21F137A1AD26391
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aed29e23f01dab295f973ee35bf42248.exe
Verdict:
No threats detected
Analysis date:
2021-03-19 07:52:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/152ee5ad-2828-46a3-b13e-ca29d8c35baf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125602/
Detection(s):
PUA.Win.File.Generic-7557964-0
Create hunting rule

PUA.Win.File.Zegost-9629018-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Sending a UDP request
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Forced system process termination
Deleting a recently created file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FormGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95061a23-3542-4da4-86f9-fdcf8af45d4e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/645808
Signature
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 371864 Sample: 23j6ZPLfOh.exe Startdate: 19/03/2021 Architecture: WINDOWS Score: 76 49 Multi AV Scanner detection for submitted file 2->49 51 Sigma detected: Suspicious Certutil Command 2->51 11 23j6ZPLfOh.exe 14 2->11         started        process3 process4 13 cmd.exe 1 11->13         started        15 cmd.exe 1 11->15         started        signatures5 18 cmd.exe 1 13->18         started        21 conhost.exe 13->21         started        63 Uses ping.exe to sleep 15->63 65 Uses ping.exe to check the status of other devices and networks 15->65 23 conhost.exe 15->23         started        process6 signatures7 53 Uses ping.exe to sleep 18->53 25 xazrwdho.com 18->25         started        28 certutil.exe 3 2 18->28         started        31 PING.EXE 1 18->31         started        34 3 other processes 18->34 process8 dnsIp9 59 Contains functionality to inject code into remote processes 25->59 36 xazrwdho.com 25->36         started        45 C:\Users\user\AppData\Local\...\xazrwdho.com, PE32 28->45 dropped 61 Drops PE files with a suspicious file extension 28->61 47 127.0.0.1 unknown unknown 31->47 file10 signatures11 process12 signatures13 55 Writes to foreign memory regions 36->55 57 Injects a PE file into a foreign processes 36->57 39 notepad.exe 36->39         started        process14 process15 41 WerFault.exe 39->41         started        43 WerFault.exe 39->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c/
Threat name:
Win64.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2021-03-19 06:02:04 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugzpdc2izoxb34se6b2mtj7rzt6tngxltaoguslewnwv3hqmjb6a._file
Verdict:
unknown
Similar samples:
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
ModiLoader
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
ModiLoader
3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c
ModiLoader
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
ModiLoader
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
ModiLoader
73b2da5f6faf24a5ab452699c277de166e2daf0a6b1b54c24f826004d9d09cc7
ModiLoader
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
ModiLoader
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
ModiLoader
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
ModiLoader
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
ModiLoader
+ 55 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader bootkit persistence trojan
Link:
https://tria.ge/reports/210319-plxkxv1y2j/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Runs ping.exe
Enumerates physical storage devices
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Executes dropped EXE
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c
MD5 hash:
aed29e23f01dab295f973ee35bf42248
SHA1 hash:
94a3eccc392cb47d7bc6dd3bf8fd0bf103018e0f
Link:
https://www.unpac.me/results/1d084a2b-9676-4e92-a558-a8bafd8c4da6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/125602/
  
URLhaus
https://urlhaus.abuse.ch/url/1068778/
  
Delivery method
Distributed via web download

Comments