MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6c3e40fcbe7e8672cbaaec87bcca2246f2858235f10e66106463c7b5b4c6620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6c3e40fcbe7e8672cbaaec87bcca2246f2858235f10e66106463c7b5b4c6620
SHA3-384 hash: 623bcb435569bcbc0897fd583c785ff22cd84674a9a3f6327dccfd023d542e1251d399bb71dfda2e92e3d151f581760c
SHA1 hash: 2c13f04d43a7b279b9a2100c67ee73eef40d40d2
MD5 hash: 6fa79c4362c5d22fa4764db0e9222f47
humanhash: crazy-september-white-green
File name:DRAFT-KMBT-F33C6592-96F3-4015-8107_IMG.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:14'564'721 bytes
First seen:2021-01-04 13:19:31 UTC
Last seen:2021-01-04 14:30:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f30226d320a41698c71e7b23b3acc4af (2 x ModiLoader, 1 x Loki)
ssdeep 12288:xZONNBHxOE9p3ft+AAO2Nqir4JKKLgs9T2H1EXEdYyDf:PqNB/9pvEAAlLrSKKEs9K1aYYE
Threatray 380 similar samples on MalwareBazaar
TLSH 91E67CE2B1AD4477E163D93C4C46D6AC6E2BBF2C2F28545E36E43F0DAB392817C16152
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: smtp.redshift.com
Sending IP: 216.228.2.205
From: Accounts <rsanchez@redshift.com>
Reply-To: Microsoft Outlook <mye-mail@europe.com>
Subject: Fw: Overdue
Attachment: DRAFT-KMBT-OVER DUE-F33C92-96F3-4015-8107_IMG.xz (contains "DRAFT-KMBT-F33C6592-96F3-4015-8107_IMG.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DRAFT-KMBT-F33C6592-96F3-4015-8107_IMG.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-04 13:33:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/633dcc12-e411-4686-a237-aca0cd731a87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110397/
Detection(s):
SecuriteInfo.com.Fareit-FZO6FA79C4362C5.18442.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573382
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6c3e40fcbe7e8672cbaaec87bcca2246f2858235f10e66106463c7b5b4c6620/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-01-04 13:20:10 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3b6id6l47ugolf2v3ehxtfcerxsqwbdl4iomyigiy6hww2mmyqa._file
Verdict:
malicious
Similar samples:
23f63135c2789e7ef408e0184508a7340f673860f0fefc09dd705276d82d7787
ModiLoader
29790388ca244a8fd3bb2448a59e45fba4dc715fec7a0bf09a7f6d4df79ef9a9
ModiLoader
2ec7c847f0688dff3229c676bb15e88e1c576bcb67157341887ffc3a20375190
ModiLoader
49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab
ModiLoader
56f814347c8ec650f905e26cb30343d437b587d8f663ac6bbf4ae4ca483898e1
ModiLoader
7d957b25b466f6b1eca625ad56a3472a83b2efc825a5d056a7d11b1b74f17fa3
ModiLoader
977f77728f1783062f8c072096f0b7535ec74f686c3e40db5dc78766edabffeb
ModiLoader
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
ModiLoader
d8ab8eb6d9e9fdb54f5d72254eafb2732342f8883ee96749bb8615ca196963bb
ModiLoader
dbb953f1943fa6f07fcaad4f4469fc48a19dc1df34b2502ea8c7b789bedbfade
ModiLoader
+ 370 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210104-5zz7aesbha/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a6c3e40fcbe7e8672cbaaec87bcca2246f2858235f10e66106463c7b5b4c6620
MD5 hash:
6fa79c4362c5d22fa4764db0e9222f47
SHA1 hash:
2c13f04d43a7b279b9a2100c67ee73eef40d40d2
Link:
https://www.unpac.me/results/f6c45562-2991-497e-8595-2e6c4d6c56b9/
SH256 hash:
f9e0012852e0a96f0a7e1802bf7cd9ad62cab4764fb6d48ec257e6e56f561542
MD5 hash:
e97ba7b71086469b15fc2b32aedec053
SHA1 hash:
8f4b2c2fcf7019ec909451aa605783009f17280f
Link:
https://www.unpac.me/results/f6c45562-2991-497e-8595-2e6c4d6c56b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6c3e40fcbe7e8672cbaaec87bcca2246f2858235f10e66106463c7b5b4c6620

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

xz 0f78c28253b05c387d8c3550e4604b701b9af0689bedde25b73a611e1e781a35

ModiLoader

Executable exe a6c3e40fcbe7e8672cbaaec87bcca2246f2858235f10e66106463c7b5b4c6620

(this sample)

  
Dropped by
MD5 d74fec50dfe87d0bd7363f6121b1f912
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0f78c28253b05c387d8c3550e4604b701b9af0689bedde25b73a611e1e781a35
Cape
Cape
https://www.capesandbox.com/analysis/110397/

Comments