MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa2bebb80a2f29bf67f6635053d5283b3279ac9617ae5210479eb3a683d57d2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	aa2bebb80a2f29bf67f6635053d5283b3279ac9617ae5210479eb3a683d57d2e
SHA3-384 hash:	20ac452db174156251b69793529801229df0c2ee77f7b4054b0e48eee3c2ebb6083de529187d908e0e562840b60cced7
SHA1 hash:	e988031358af6e273d4866813c4b7b92058a3ebe
MD5 hash:	f195402f93e20e909df6d74c73b93ee6
humanhash:	idaho-earth-mike-sixteen
File name:	Scan_IMG02781838-RFQ Tender Docs Submission.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	729'508 bytes
First seen:	2020-08-20 13:32:00 UTC
Last seen:	2020-08-20 14:36:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9a000d63df0008980b9277a4d29c97cd (1 x ModiLoader)
ssdeep	12288:tM9ZgHiToDf4xovnkKZsThL2k63mSzy/eAvGViE6j:GnjTMf4ivnkVh5SHFAvG
Threatray	224 similar samples on MalwareBazaar
TLSH	2AF48D23A2E0C572D03619389F1BEBA89D26BF203D349D562EF10E1CDE7A7417C2A557
Reporter	James_inthe_box
Tags:	exe ModiLoader

Code Signing Certificate

Organisation:	Microsoft Time-Stamp Service
Issuer:	Microsoft Time-Stamp PCA
Algorithm:	sha1WithRSAEncryption
Valid from:	Sep 7 17:58:56 2016 GMT
Valid to:	Sep 7 17:58:56 2018 GMT
Serial number:	33000000CCCBB813EB5D722D450000000000CC
Intelligence:	15 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	0C043752471269029D69B98BD42DFAD2656F1BCFDEC9A291039F4EF69B496C70
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/49168/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Deleting a recently created file

Reading critical registry keys

Creating a file in the %temp% directory

Setting a single autorun event

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/441637

Signature

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa2bebb80a2f29bf67f6635053d5283b3279ac9617ae5210479eb3a683d57d2e/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2020-08-20 05:05:19 UTC

File Type:

PE (Exe)

Extracted files:

111

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=viv6xoakf4u36z7wmnifhvjihmzhtlewc6xfeecht2z2na6vpuxa._file

Verdict:

malicious

ModiLoader

08fe7e61eafc062a5f50981fae0f578442cdfd31a00e2398389c8bea37485f02

ModiLoader

090c4ff20568f647c80d5ae386bf5aedd9d8b066066a465b5300f8bd42ff1282

ModiLoader

286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5

ModiLoader

37c2608ad09b3f6d0cd33476b8f6bf6fefd1a0f2408657072da80a0454da7e6f

ModiLoader

3c0db9b222c66430abc435ed119d17751f1c7721d9f0a9a6aa7e17c5230eeeb9

ModiLoader

54cdc9b1ede5661104e61f012de44e010500744c2b3003a6ffaff2f3f6eded34

ModiLoader

6916d0f41d35a9142e598496a1e996616b4fad6d15f0f3da7ec9210b6a124586

ModiLoader

8fa8051d68f0b059927318bc2b712fa94f7a2426e0ad00061e3c3dc2206bf955

ModiLoader

e7a5b30eb4ad9f5b7b53bd402756a623c67cfb8d46d1148b40d8bc2d4ea43594

ModiLoader

+ 214 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200820-kgtl6baccs/

Behaviour

Modifies registry key

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

JavaScript code in executable

Loads dropped DLL

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa2bebb80a2f29bf67f6635053d5283b3279ac9617ae5210479eb3a683d57d2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dbatloader_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT
Description:	targets loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/49168/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample