MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b342e43b58105e3bd31bf61e0042f9c79cb3d2b34cae4b4496c764a980da1e13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b342e43b58105e3bd31bf61e0042f9c79cb3d2b34cae4b4496c764a980da1e13
SHA3-384 hash: 5836c15bdce0d494bf065a583be464e37639c22e1072a6fe9e5e6b36518f89b2ae335f18c4604c1df0505702d1b74cf0
SHA1 hash: 357e41272b6ef2ff6b8dfcc73a065e59d6a564f4
MD5 hash: aaf566a80f6eb58de87b3c9e1badf058
humanhash: alaska-helium-oklahoma-snake
File name:sample quote.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'060'184 bytes
First seen:2020-12-09 10:45:51 UTC
Last seen:2020-12-09 13:02:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b533f6ccb714ea0a0f83e1cff60dbfe0 (8 x ModiLoader, 2 x RemcosRAT)
ssdeep 24576:vklbZpRNhPXNH/yLjaKuOflQKE7D/cX+2hu0aQ:vkhRXNNKuOtQl/2vhuxQ
Threatray 636 similar samples on MalwareBazaar
TLSH 5B35BFE3F2D1453EF1360574AD0795757825EE192E8EA84A27BD2E0C0F7C6C6380B99B
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mailrelay106.isp.belgacom.be
Sending IP: 195.238.20.133
From: DAN VIET TRADING CO<test@haarpro.nl>
Reply-To: <635165457@qq.com>
Subject: Re : Additional Order
Attachment: sample quote.rar (contains "sample quote.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sample quote.exe
Verdict:
Malicious activity
Analysis date:
2020-12-09 11:16:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a757533a-bb6b-4f8d-91a0-aab59e9414e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107442/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Gathering data
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558879
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328542 Sample: sample quote.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 100 29 Malicious sample detected (through community Yara rule) 2->29 31 Yara detected AveMaria stealer 2->31 33 Contains functionality to hide user accounts 2->33 35 4 other signatures 2->35 6 sample quote.exe 1 16 2->6         started        11 Vpaqdrv.exe 14 2->11         started        process3 dnsIp4 21 cdn.discordapp.com 162.159.129.233, 443, 49722, 49735 CLOUDFLARENETUS United States 6->21 23 discord.com 162.159.137.232, 443, 49721 CLOUDFLARENETUS United States 6->23 19 C:\Users\user\AppData\Local\...\Vpaqdrv.exe, PE32 6->19 dropped 37 Writes to foreign memory regions 6->37 39 Allocates memory in foreign processes 6->39 41 Injects a PE file into a foreign processes 6->41 13 ieinstal.exe 3 4 6->13         started        25 162.159.128.233, 443, 49734 CLOUDFLARENETUS United States 11->25 17 ieinstal.exe 1 11->17         started        file5 signatures6 process7 dnsIp8 27 williamz20.ddns.net 194.33.45.171, 3920, 49725 CLOUVIDERClouvider-GlobalASNGB United Kingdom 13->27 43 Tries to steal Mail credentials (via file access) 13->43 45 Tries to harvest and steal browser information (history, passwords, etc) 13->45 47 Increases the number of concurrent connection per server for Internet Explorer 13->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b342e43b58105e3bd31bf61e0042f9c79cb3d2b34cae4b4496c764a980da1e13/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 10:46:10 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnboio2ycbpdxuy36ypaaqxzy6olhuvtjsxewrewy5sktag2dyjq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0629278e51106220eb8727f80f4c24cfb432e6344561e8518030b19b669bcc72
ModiLoader
3327d99c25c0d09e27fca09b9c362340be2696024bf4f9cb48776876de8fb472
ModiLoader
4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a
ModiLoader
52e8ebb47ae631081c6ac0ab78219951e8c7ac540e11b420e92d5df89ea719d7
ModiLoader
6c483817d7c95cd3ac3be070d84f1647b938ad3341f7b4854924a77892507af8
ModiLoader
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
ModiLoader
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
ModiLoader
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
ModiLoader
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
ModiLoader
f6878003c470e531787cd70fc0785bb01a5c64d6a39f0efec5aabc5ac3f5f889
ModiLoader
+ 626 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat spyware trojan
Link:
https://tria.ge/reports/201209-qx7drzarg2/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
b342e43b58105e3bd31bf61e0042f9c79cb3d2b34cae4b4496c764a980da1e13
MD5 hash:
aaf566a80f6eb58de87b3c9e1badf058
SHA1 hash:
357e41272b6ef2ff6b8dfcc73a065e59d6a564f4
Link:
https://www.unpac.me/results/c7c1af8d-52af-4dec-8549-bc375715b9e6/
SH256 hash:
ed2a05877dcfdc25a9053024a005aa64da12c012287e8002a49ee80b2277c947
MD5 hash:
5b5edf602bc9c6ce4404508c1ce644fe
SHA1 hash:
4752cb2802595cfc81aef44592c588fe195da0bc
Link:
https://www.unpac.me/results/c7c1af8d-52af-4dec-8549-bc375715b9e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b342e43b58105e3bd31bf61e0042f9c79cb3d2b34cae4b4496c764a980da1e13

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar f69817e7f58dee335c947d2ee0cfe23fc9f9918b9afa59d809fbdaabc302fc91

ModiLoader

Executable exe b342e43b58105e3bd31bf61e0042f9c79cb3d2b34cae4b4496c764a980da1e13

(this sample)

  
Dropped by
MD5 f9fd52da6c6ed62d923146fd8d38fb0d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107442/
  
Dropped by
SHA256 f69817e7f58dee335c947d2ee0cfe23fc9f9918b9afa59d809fbdaabc302fc91

Comments