MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b887c7f81c3a3ea44b3b8faef1569e8cecba43c90c976ee19bf801ed5c44cb7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	b887c7f81c3a3ea44b3b8faef1569e8cecba43c90c976ee19bf801ed5c44cb7e
SHA3-384 hash:	06482b133a2a3108c00038af597dcf443b782323d07e802248868c44367c1963944a91a307ed1ffc7992456aedfcbc54
SHA1 hash:	f8aad9b73629acbe74edc7291ef76edab5cc37de
MD5 hash:	002e10cc06f45210d45f5a3fb9a1764e
humanhash:	romeo-two-six-carpet
File name:	PKO-892321.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'050'624 bytes
First seen:	2020-10-21 08:51:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	43f29e85d3150ea9833f321c3be626c8 (9 x ModiLoader, 1 x NetWire, 1 x AveMariaRAT)
ssdeep	12288:4hVKeF40BRicbRToD1whMmvlThTD3mG91gX2jU6vm4fMsdF6eID:4hU0RicG6b9T17mG9uX2NmDkF6zD
Threatray	244 similar samples on MalwareBazaar
TLSH	77256B627290C332D072D6B9CC5FA6787599FE40ED287846F7AC7D4A6F35E81202B247
Reporter	abuse_ch
Tags:	exe ModiLoader

abuse_ch

Malspam distributing ModiLoader:

HELO: mx1.e-tiger.net
Sending IP: 193.23.139.20
From: Policja <notices@policja.pl>
Subject: Ostatnie zaproszenie od policji
Attachment: PKO-892321.iso (contains "PKO-892321.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/73914/

Detection(s):

SecuriteInfo.com.Artemis40C354B68313.10960.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Connection attempt to an infection source

Result

Threat name:

AveMaria

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505489

Signature

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Hides that the sample has been downloaded from the Internet (zone.identifier)

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected AveMaria stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b887c7f81c3a3ea44b3b8faef1569e8cecba43c90c976ee19bf801ed5c44cb7e/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2020-10-21 07:07:49 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xcd4p6a4hi7kisz3r6xpcvu6rtwluq6jbslw5ym37aa62xcezn7a._file

Verdict:

suspicious

ModiLoader

0567b86ec1e2be772943f8d57bba0d17f24ffb9f6b99ecb1214e74a27bbfe568

ModiLoader

0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894

ModiLoader

167af253c02649b8a71af8a93d0d6d65669d979605db0ccc07f0bebd868e30f3

ModiLoader

37d784463964139b15ff2609fc173c430482c6feebef4a13a37df143e99468e5

ModiLoader

63a7c236bd4ae94b1491b4a6da2f959fa16153cf4b0d4d17fd8810b95aeec49f

ModiLoader

65228df6e85371a2b4b1e5340f11e36cdc94f8b39bda216c0ed143eaac36912b

ModiLoader

6ce29350390228c4f8cf474b079fc0e786b364cf5c0c8994b7ad1137c185be3b

ModiLoader

a51241f19d9e2f370c5fca701fb761a5faef8d2f0a16de8ddad6a1936020cdd3

ModiLoader

eacd4bf6e9ef503d844adb44043c83bd6324b805b6587a3d2b4b27ec0143dedc

ModiLoader

+ 234 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

rat persistence trojan family:modiloader infostealer family:warzonerat

Link:

https://tria.ge/reports/201021-6ma7ly8dyx/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

ModiLoader First Stage

ModiLoader Second Stage

Warzone RAT Payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

b887c7f81c3a3ea44b3b8faef1569e8cecba43c90c976ee19bf801ed5c44cb7e

MD5 hash:

002e10cc06f45210d45f5a3fb9a1764e

SHA1 hash:

f8aad9b73629acbe74edc7291ef76edab5cc37de

Link:

https://www.unpac.me/results/883ff098-bbaa-43f6-b132-49795454decb/

SH256 hash:

09d882b9f2ee1b1c4e741148bff6022ad2dc954336f4a0068e74ac44b8c0da90

MD5 hash:

2d396f6b17ced0f5bbe35732b059f39a

SHA1 hash:

f99451819cad0af6dc99df27d3c59ac47c50a2ec

Link:

https://www.unpac.me/results/883ff098-bbaa-43f6-b132-49795454decb/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	MALWARE_Win_DLAgent03 Create hunting rule
Author:	ditekSHen
Description:	Detects known Delphi downloader agent downloading second stage payload, notably from discord