MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc
SHA3-384 hash: c41190f144f491ac03fa3a4fa52ff029d6722c6abb20ed9bd81eac02bec720acbb153e5b76a358a74a6d365b8f9ca71b
SHA1 hash: d86a03a312f8c34a464e997dab02bd74f4f8a40b
MD5 hash: b039b3394d5a6794d9ffe10d15ece404
humanhash: jersey-lactose-chicken-happy
File name:doc_01234.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:836'096 bytes
First seen:2022-03-08 13:18:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef548b3863419e317467c122fcc08ed7 (6 x Formbook, 2 x RemcosRAT, 1 x ModiLoader)
ssdeep 12288:F9udXq5lwIfJhsVoyv6g2ddE8mgPJP89Q+zl/3RIlRfk:zudXehgWT4gPNmQ+ha7f
Threatray 1'085 similar samples on MalwareBazaar
TLSH T1B6059EEEB3E24837D07316788C4B57B45929BD052F24A8472FF87D0EBE316953A29253
File icon (PE):PE icon
dhash icon f0c0db6c6a7af0fc (24 x Formbook, 6 x QuasarRAT, 5 x RemcosRAT)
Reporter Anonymous
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc_01234.exe
Verdict:
Suspicious activity
Analysis date:
2022-03-09 11:09:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92ababc2-c298-4839-88bf-438abe420fcf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248279/
Detection(s):
SecuriteInfo.com.ArtemisAA9FC446EF79.2447.19151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8575/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/622799f2dfdfa8501c7b6fa0/reports/4b645b76-f282-4b02-bf2c-95410438889f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d29be587-2db2-47ff-ae18-f3b56e4f453b
Result
Threat name:
AveMaria DBatLoader UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952570
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585048 Sample: doc_01234.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 41 mrbigs.hopto.org 2->41 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 11 other signatures 2->65 10 doc_01234.exe 1 21 2->10         started        15 Ptechut.exe 15 2->15         started        17 Ptechut.exe 17 2->17         started        signatures3 process4 dnsIp5 45 tsnwhq.by.files.1drv.com 10->45 53 2 other IPs or domains 10->53 35 C:\Users\Public\Ptechut.exe, PE32 10->35 dropped 37 C:\Users\Public\tuhcetP.url, MS 10->37 dropped 39 C:\Users\Public\Ptechut.exe:Zone.Identifier, ASCII 10->39 dropped 75 Drops PE files to the user root directory 10->75 77 Writes to foreign memory regions 10->77 79 Allocates memory in foreign processes 10->79 83 2 other signatures 10->83 19 DpiScaling.exe 3 2 10->19         started        23 cmd.exe 1 10->23         started        47 tsnwhq.by.files.1drv.com 15->47 55 2 other IPs or domains 15->55 81 Machine Learning detection for dropped file 15->81 49 l-0004.dc-msedge.net 13.107.43.13, 443, 49787, 49789 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->49 51 tsnwhq.by.files.1drv.com 17->51 57 2 other IPs or domains 17->57 file6 signatures7 process8 dnsIp9 43 mrbigs.hopto.org 206.123.154.30, 3456, 49781, 49791 HVC-ASUS United States 19->43 67 Contains functionality to inject threads in other processes 19->67 69 Contains functionality to steal Chrome passwords or cookies 19->69 71 Contains functionality to steal e-mail passwords 19->71 73 3 other signatures 19->73 25 cmd.exe 1 23->25         started        27 conhost.exe 23->27         started        signatures10 process11 process12 29 net.exe 1 25->29         started        31 conhost.exe 25->31         started        process13 33 net1.exe 1 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 13:19:11 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvhtvffv3aqgbnlv3bnqvn3z6mxvglewx3xtbalyh6by42d37t6a._file
Verdict:
malicious
Similar samples:
18c5126639d2d4f5f95f8579f783e56f1ee0dc385f1ef2a6404b9ca70399285f
ModiLoader
5ab614491453ac799f4944620f8d433d42427aaea0ad0f1d55f240bc1ba6a057
ModiLoader
741c817dd6bc5c718770d5903d3d0bbb0038408cd6bc6321c1fe364649e38ffb
ModiLoader
77e99afc3316611a03c302e162838a45df001ec4eac0d4533aba69e98c3becf6
ModiLoader
8da279ac96b229e5cf9e94b6d3a50ad3a3c048960d072f503565305deee84654
ModiLoader
aeb38f72dfa11e848a65cf0814a530e24df08dc818348d9e80978cb330f24af3
ModiLoader
b9ed36a21e09ff33bef163a4b8f5f041bcc51ef24b12b66e4192a3dc529ba5f5
ModiLoader
bd54feaedda33ef8e611cd540e84b8c44d989f2417ddca33472cea3b7892afaf
ModiLoader
c1b7572079230fd99c0ca004448f526420c124efbd0e1f6027fb950fbac5e05e
ModiLoader
f1d8f8c8bb9871fabbd6a001c48bc001c5181b512d2989e87f08280b74ada33b
ModiLoader
+ 1'075 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat infostealer persistence rat
Link:
https://tria.ge/reports/220308-qkjvgafah6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs net.exe
Program crash
Adds Run key to start application
Warzone RAT Payload
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
mrbigs.hopto.org:3456
Unpacked files
SH256 hash:
82c6df58281ae7cc2374f3cb500a03483c5e5f1b53b84f8f96223eb7c50bdb44
MD5 hash:
189fa04bd7b35f265ab6ff4d7e25787c
SHA1 hash:
815b241eb9128ae75c1b187b39e95434eb780499
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/3107e453-d4a3-4f1d-a522-6e63dd7b87ae/
Parent samples :
b9ed36a21e09ff33bef163a4b8f5f041bcc51ef24b12b66e4192a3dc529ba5f5
a37011f4db99b06727ee861d1931ea2b0cd1d048aadce2e51485983dd83d8a99
77e99afc3316611a03c302e162838a45df001ec4eac0d4533aba69e98c3becf6
c498aa9cf4e79784433902911692b917a1990fa009515ca307b675eb9f34077b
8da279ac96b229e5cf9e94b6d3a50ad3a3c048960d072f503565305deee84654
741c817dd6bc5c718770d5903d3d0bbb0038408cd6bc6321c1fe364649e38ffb
18c5126639d2d4f5f95f8579f783e56f1ee0dc385f1ef2a6404b9ca70399285f
a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc
50dba2f344aa086c034ce37a3aea4e70629a0eeaa8c59b2b6f6395b4969b7dc1
f917034d08d7cc2d2af50ff28d1b52944691fba6bb96965e18948cf7473bbd80
1777cad58e9516ffbeb10b73f8b751d8689a71712266f223e2281a425ed09551
ea5a2cf2a4c8ddc7f01d6b8a573efa20b7dd35fe633e0d1413b0d41e2cd31874
708af0a1312a0b416011df2aa5d4c7aa52f4ff483e9e0f4795e0e98eddc5a781
f0a3b64a941e0abb7fbc40e63dbc2cc1efe0822739280c0f6fab6b877bdf711d
8fd2d590487f9c781d57cf53186e0e713e06095bf7c71cc442ec349f6a1f5c9b
6fc9563d971fe534d3b73811ed493784a02bab6f4a0c13362c762a33eb59300b
ef808aede6f70068b433647ba15f37e8b2b207b3bf1bd2e8d623ca0b18a64f5f
c536b84ee17abfc596058bf5aca74f161cc372669760aba80804d497bb256bfa
6e0e8d1cb340a26f3e8294c7b07ce486b56afcabfb90b7e20e4331b6384a85ce
f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
d1d9a1e96a6f7b46b3634ec6454c07043c26fdc8455c949738e51b712340022a
8fb9ddc78aef013fcbc8ff38135972fdacf66a871cc4b42f719efefe2255219f
89ca1ae6afd4451562d33f381d21e085245ebe1047d4a812d818fcf0a2e01393
fd56e2246a9054a8981dd48ce0858a9dc5aa92115b0d27d1192e9005cd27f7e9
7397f5b9dcb22b5032f825681a1158f362b3485a120f0fecbc51f1b1c5ca6a52
67e27b7d6665351e8cfef328924fa39f06ca60d4cb40287936293d4f2daff84e
2a46c9193e41e7e908edfd45c08368959abf9155d056305eed43a46f882d6866
a65520867c851b43c93d5e7c390bb4fedef94a648c70631bc02f396e4dbff522
341d113b8a3f61a729b14f38483a48d610e80757a50068c1683e10d7381a299d
319d243495674c304b394ebaf3e7265ac58f7e7f6ef0e727fd4cab977d939586
df89b24a6d5aa863a8f74587615c997510a46dc5fe6dc52389047b8d0753b1f2
b0d39dfb3b1d61b324e915ac84465e694988fa179c988798eb8d9dabacf58712
031e877589f97a23fae025f6f7ff04b31f5a4341fed57933191e1645b43cab32
ae51f5b12195c2ce67b7bcb6f2f97844b7abd02ea94026a60080ba5060a19a18
4bb146afde30f4c68237fa83d0235813b9548d4b4800e9a4ca7bfc57f49c6ebf
41052b2fbebd33434878b18c4b3fdedcc71ed062357fff97a97737440b633853
42bed45454511067a6358d37aaab96c745722d990125bd1951bb42346ff3717f
a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd
8db76bfdd2666649dc2be8ef188d9548971f1edbe4d45c0d689a4700f7ff8169
2c3d0dfe94f6ee36822a79a0d6bc22efbd964781a984dec679acbb5029ce1493
b08dd02223a62d1f9dae7ecd8770288acb32dcfafcfa5a58095b495dd43e3f1a
39ce700e582c22bf87f67241aa5537b74991a30d016878bdd6c2dfd6dc114f9d
a6cea446b135529f57315da655e5329e267f80a67940edbf949196536b212c5b
9ac0322714806d2e922280dc9d59622656f1d0f682cf093df8505022cd631da0
efdd97e52e2d4a47a66abeb6073c2be21ce056da12256a2f74a5e9c6a8fe1916
d6fd4c8c1b20fd3d8c8e9e9c951a7975bb332655e83a9c8f8dd23742331186db
3d5d161635b1d409b28564bb95c9006687b720caa5bfb6ed8679b87e889baf3a
199cc04b9d617b58a11715354df9a83c93416a3906a352aeb21181d65021fdfd
d385c24887eb6e83869c401aefa83135165cd196e5b959e369c5d520c71ab016
56ac1555cc21d3400c4168a52da00cab97bfb205f0b43ab417fbaa85e02def9c
c8f1d68423b8b8f43600ad0fb409f71283cd5a9c732d7b1e641b414f6313625e
ca0cfe500b3f6a17dd31e684c1b32c9190b08480cfc630c23d1ce6cb6164918d
9e5ede8160535eae10bd05d831b9276301611620d7b82e38ea1c8d75edcbd7eb
f1c91bc11ffe14c373f0165d7876db47b1768c326f4d46a270fb6247ca11b1f0
90462bba4bd8ee1b0e442050d6e8f6880daa7ce74d0cd9da1c6e4067e8a16221
d6f3a14495623a92c292f7285b1879575c34a135bc9bfef37b8d778d5de450e7
5852bf7347b25ab7e1f19cd1ce6e09a5c0fd0a6bf3282db4273e0a2446476af7
2b0c03ec624b83fbdc97d1b026c8274b13e2aeff02165d4464375518f217ae56
8d5f75029a8b18b50f6d17ff20cb510d60fcea55b7ea49b9bb3f18dc1424db8a
834bbca917e33d612d4989b3b68ab2aec2d6f5ac27494514238eba9f579d9a95
df4529d0592f28fbe9ad1918f19fc78db86e7abbca15b24cd016e5f34774bdcc
82c6df58281ae7cc2374f3cb500a03483c5e5f1b53b84f8f96223eb7c50bdb44
SH256 hash:
a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc
MD5 hash:
b039b3394d5a6794d9ffe10d15ece404
SHA1 hash:
d86a03a312f8c34a464e997dab02bd74f4f8a40b
Link:
https://www.unpac.me/results/3107e453-d4a3-4f1d-a522-6e63dd7b87ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a54f3a94b5d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a54f3a94b5d82060b575d85b0ab779f32f532c96beef3081783f838e687bfcfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AveMaria
Create hunting rule
Author:@bartblaze
Description:Identifies AveMaria aka WarZone RAT.
Rule name:AveMaria_WarZone
Create hunting rule
Rule name:ave_maria_warzone_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Codoso_Gh0st_1
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_1_RID2C2D
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:Codoso_Gh0st_2_RID2C2E
Create hunting rule
Author:Florian Roth
Description:Detects Codoso APT Gh0st Malware
Reference:https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding command execution via IExecuteCommand COM object
Rule name:MALWARE_Win_AveMaria
Create hunting rule
Author:ditekSHen
Description:AveMaria variant payload
Rule name:MALWARE_Win_WarzoneRAT
Create hunting rule
Author:ditekSHen
Description:Detects AveMaria/WarzoneRAT
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:win_ave_maria_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.ave_maria.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248279/

Comments