MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
SHA3-384 hash: 7bbcac9c9b25370df562d1bef6dd0abdd819ac4f3efa53fe90d0b76de036793507dd294cd196e40c968824b5301f78bf
SHA1 hash: f7952914b0eaad795e4ca567e2e40acc44e1d94c
MD5 hash: 4eadda589b3f6dbf60b047711b33f43b
humanhash: burger-maryland-wisconsin-hydrogen
File name:Scan_quaxgdx_Signed_.bat
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'066'544 bytes
First seen:2020-10-21 08:50:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 43f29e85d3150ea9833f321c3be626c8 (9 x ModiLoader, 1 x NetWire, 1 x AveMariaRAT)
ssdeep 12288:WhVKeF40BRicbRToD1whMmvlThTD3mG91gX2jU6vG4fMsdF6eIDx:WhU0RicG6b9T17mG9uX2NGDkF6zDx
Threatray 359 similar samples on MalwareBazaar
TLSH 95356C627390C332D072C6B9CC5EA6797599FE40ED287846F7AC7D4A6F35E81242B243
Reporter abuse_ch
Tags:bat ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mail.chequedejeuner.ro
Sending IP: 89.238.212.69
From: Alexandru Incze <aincze_norman@safetysuppliesdirect.co.uk>
Reply-To: Alexandru Incze <aincze_norman@safetysuppliesdirect.co.uk>
Subject: For Your Kind Attention - Kindly Advise on Availability of Listed Materials
Attachment: Scan_quaxgdx_Signed.img (contains "Scan_quaxgdx_Signed_.bat")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73913/
Detection(s):
SecuriteInfo.com.Artemis40C354B68313.10960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505485
Signature
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301792 Sample: Scan_quaxgdx_Signed_.bat Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 Machine Learning detection for sample 2->49 8 Scan_quaxgdx_Signed_.exe 1 15 2->8         started        13 Orxzdrv.exe 13 2->13         started        15 Orxzdrv.exe 14 2->15         started        process3 dnsIp4 37 discord.com 162.159.128.233, 443, 49741, 49759 CLOUDFLARENETUS United States 8->37 39 cdn.discordapp.com 162.159.129.233, 443, 49742, 49760 CLOUDFLARENETUS United States 8->39 35 C:\Users\user\AppData\Local\...\Orxzdrv.exe, PE32 8->35 dropped 53 Detected unpacking (changes PE section rights) 8->53 55 Detected unpacking (overwrites its own PE header) 8->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->57 65 3 other signatures 8->65 17 Scan_quaxgdx_Signed_.exe 2 8->17         started        21 notepad.exe 4 8->21         started        41 162.159.134.233, 443, 49758 CLOUDFLARENETUS United States 13->41 43 162.159.136.232, 443, 49757 CLOUDFLARENETUS United States 13->43 59 Multi AV Scanner detection for dropped file 13->59 61 Machine Learning detection for dropped file 13->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->63 23 Orxzdrv.exe 13->23         started        file5 signatures6 process7 file8 33 C:\Windows\System32\drivers\etc\hosts, ASCII 17->33 dropped 51 Modifies the hosts file 17->51 25 cmd.exe 1 21->25         started        27 cmd.exe 1 21->27         started        signatures9 process10 process11 29 conhost.exe 25->29         started        31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 07:27:12 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uujed4m5tyxtodc7zjyb7n3bux5o7djpbiln5do222qzgybazxjq._file
Verdict:
malicious
Similar samples:
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
ModiLoader
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
38e3cba90f87ed237322570ee1c681b99ead6bab00864005a93b713a6fe4574f
ModiLoader
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
4ae6b816ae796954dd22a01dacb47e9e76bd3facc4f20f7f8fb76e18fd20b27b
ModiLoader
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
ModiLoader
95aee7e64808e12f340834e6b49c3541c1e5e0b3a1ff1fcd7eb2591a83b619fb
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
ModiLoader
+ 349 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201021-bbqnp2n572/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3
MD5 hash:
4eadda589b3f6dbf60b047711b33f43b
SHA1 hash:
f7952914b0eaad795e4ca567e2e40acc44e1d94c
Link:
https://www.unpac.me/results/4b6b67c8-d61c-4e6e-a3e2-4637a5d4db0c/
SH256 hash:
09d882b9f2ee1b1c4e741148bff6022ad2dc954336f4a0068e74ac44b8c0da90
MD5 hash:
2d396f6b17ced0f5bbe35732b059f39a
SHA1 hash:
f99451819cad0af6dc99df27d3c59ac47c50a2ec
Link:
https://www.unpac.me/results/4b6b67c8-d61c-4e6e-a3e2-4637a5d4db0c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:MALWARE_Win_DLAgent03
Create hunting rule
Author:ditekSHen
Description:Detects known Delphi downloader agent downloading second stage payload, notably from discord

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img d24ec4174c05def71b13957a3ffaed85f1a298cc23a8045a0367212bfc557418

ModiLoader

Executable exe a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3

(this sample)

  
Dropped by
MD5 af370d1aee214714fe80c9a99d3ce574
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73913/
  
Dropped by
SHA256 d24ec4174c05def71b13957a3ffaed85f1a298cc23a8045a0367212bfc557418

Comments