MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab
SHA3-384 hash: fd7f53725269ea11401ca557b0b3fd094abc5babfe1564bdf787c1ecd21f625932ec4b17a5ec87b1995a7bb4730ced41
SHA1 hash: ad79ccf45b884db5a13cbd68b1a2348b7e4cb33b
MD5 hash: 47e514142e1652f5cde53b9369d17eb3
humanhash: pizza-edward-pizza-eight
File name:HSBC-Bank.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'042'944 bytes
First seen:2020-10-15 11:31:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:QFT7lBs40jT0sUbtpW/nAOPq3Sp58Bn7nLT6USE/7LYUx5t8SH1:QvBsxTEi5A7nLT6USE/7kUPt
Threatray 333 similar samples on MalwareBazaar
TLSH 6F25CF31F3E2CA36F25315318C2B5BB99532BE002924945A76E63C4DAE367F079396D3
Reporter abuse_ch
Tags:exe geo HSBC ModiLoader TUR


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: h22.megalink.com
Sending IP: 200.75.160.22
From: Ziraath Bankası <account@ptssyndicate.com>
Subject: Gelen Ödeme Bildirimi
Attachment: HSBC-Bank.iso (contains "HSBC-Bank.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71291/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492210
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 298563 Sample: HSBC-Bank.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 32 wzefi.duckdns.org 2->32 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AveMaria stealer 2->50 52 5 other signatures 2->52 9 HSBC-Bank.exe 1 15 2->9         started        14 Nbcddrv.exe 13 2->14         started        16 Nbcddrv.exe 13 2->16         started        signatures3 process4 dnsIp5 38 discord.com 162.159.128.233, 443, 49730, 49731 CLOUDFLARENETUS United States 9->38 40 cdn.discordapp.com 162.159.130.233, 443, 49732 CLOUDFLARENETUS United States 9->40 30 C:\Users\user\AppData\Local\...30bcddrv.exe, PE32 9->30 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Injects a PE file into a foreign processes 9->66 18 ieinstal.exe 3 2 9->18         started        42 162.159.136.232, 443, 49743, 49744 CLOUDFLARENETUS United States 14->42 22 ieinstal.exe 1 14->22         started        44 162.159.134.233, 443, 49738, 49745 CLOUDFLARENETUS United States 16->44 68 Multi AV Scanner detection for dropped file 16->68 24 ieinstal.exe 16->24         started        file6 signatures7 process8 dnsIp9 34 wzefi.duckdns.org 194.5.97.15, 49735, 49742, 49751 DANILENKODE Netherlands 18->34 36 192.168.2.1 unknown unknown 18->36 54 Writes to foreign memory regions 18->54 56 Allocates memory in foreign processes 18->56 58 Increases the number of concurrent connection per server for Internet Explorer 18->58 60 2 other signatures 18->60 26 cmd.exe 1 18->26         started        signatures10 process11 process12 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 08:05:26 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrx6lug4seusextfxawgxgjgihww6a3mdltc7duitaqvqbaw5ovq._file
Verdict:
malicious
Similar samples:
1718ca5c80e3a42cec338fea4417d36fda3facf65d2828ccf438098caedf9a7e
ModiLoader
3e64029948a8c6ff5de11ab028df1acdc90b10a8953e7ffabd78fe3b3de84e61
ModiLoader
78582d172358ebeb7af791aeea731373b6856ab905c5ac122403fd8d0c31b8f3
ModiLoader
85c2475f5bb564338727b25d030019e2ec0f08a9892df26024e45339ef3c0792
ModiLoader
8740660b719c87f2e9deb11c5fbda1a6ffd0c770a571d4945056d53e7a6b31c3
ModiLoader
8e0f1afb542d73ead6c9942171d40ba9117a2b6f39c386ba9e51b22b78c7005f
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
b8c6d9ced99143d34fd8829125c6ff46bc0c55569f401ec4d1354f3d0825c4c4
ModiLoader
c358b44f578fd2dedbb1899038415395ae2052c113aaa149481cde295e022bda
ModiLoader
dd4198b0a2a1c500bed498963e966d3476b778e1b917434847abb81c987fba55
ModiLoader
+ 323 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan family:modiloader infostealer family:warzonerat
Link:
https://tria.ge/reports/201015-2vwam3d4ja/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT Payload
ServiceHost packer
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab
MD5 hash:
47e514142e1652f5cde53b9369d17eb3
SHA1 hash:
ad79ccf45b884db5a13cbd68b1a2348b7e4cb33b
Link:
https://www.unpac.me/results/3796cd30-dc61-4588-b129-d8a3ff7f21b5/
SH256 hash:
2e79a668c38b8a38e4bbaf756f83d603bae0394c05ee97a1eabbdc88d3700ce2
MD5 hash:
bbb6176f7ed33dfc1041afd980c01e31
SHA1 hash:
b217762adf8b4e13879291f0f6fc6a649f6fe3c1
Link:
https://www.unpac.me/results/3796cd30-dc61-4588-b129-d8a3ff7f21b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 0f00e08c97ad6a8dba0db69767310669d79bfaeacc839496ab018c4a1ce322e1

ModiLoader

Executable exe ac6fe5d0dc9129225e65b82c6b992641ed6f036c1ae62f8e889821580416ebab

(this sample)

  
Dropped by
MD5 5d7564ab519aa4cf1150056633bbc562
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71291/
  
Dropped by
SHA256 0f00e08c97ad6a8dba0db69767310669d79bfaeacc839496ab018c4a1ce322e1

Comments