MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed
SHA3-384 hash: 147ea6ec2d0d6701a7a0fa9a79df7f91b2b84b217f79f350cf4b8321e11a7af13f24f2fe683e9e915a7bac96d6a97460
SHA1 hash: f097a3805937b67630d4ef2dc417ebbeed10c4ee
MD5 hash: 89030288488367f922bd3bac7797f58b
humanhash: florida-hot-cardinal-ohio
File name:Mzxzgme.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:963'584 bytes
First seen:2020-10-07 05:04:39 UTC
Last seen:2020-10-07 09:42:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f918ce4c02b222f66cc7aa2c3be8a168 (4 x ModiLoader)
ssdeep 12288:IKbIaBg0N87tcWa4WGEb7OVPso/BZm5gCiOsHMNTrdbJEBvJcc+L:IIG97KZGOsKOMhdbJH
Threatray 528 similar samples on MalwareBazaar
TLSH 01256D22A1D14C33C5F31A789D1BD358992EBD213D3AA9452BF22D4C7F35261793E2A3
Reporter GovCERT_CH
Tags:ModiLoader

Intelligence

File Origin
# of uploads :
10
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68768/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Sending an HTTP POST request
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Threat name:
AZORult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483648
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Detected AZORult Info Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294273 Sample: Mzxzgme.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 6 Mzxzgme.exe 1 15 2->6         started        11 Mzxznek.exe 13 2->11         started        13 Mzxznek.exe 13 2->13         started        process3 dnsIp4 34 cdn.discordapp.com 162.159.134.233, 443, 49731 CLOUDFLARENETUS United States 6->34 36 discord.com 162.159.136.232, 443, 49729, 49730 CLOUDFLARENETUS United States 6->36 32 C:\Users\user\AppData\Local\...\Mzxznek.exe, PE32 6->32 dropped 62 Writes to foreign memory regions 6->62 64 Allocates memory in foreign processes 6->64 66 Injects a PE file into a foreign processes 6->66 15 ieinstal.exe 63 6->15         started        38 162.159.135.233, 443, 49749 CLOUDFLARENETUS United States 11->38 68 Multi AV Scanner detection for dropped file 11->68 20 ieinstal.exe 12 11->20         started        40 162.159.128.233, 443, 49750, 49751 CLOUDFLARENETUS United States 13->40 42 162.159.130.233, 443, 49752 CLOUDFLARENETUS United States 13->42 22 ieinstal.exe 13->22         started        file5 signatures6 process7 dnsIp8 44 37.49.225.188, 49746, 49756, 49757 SQUITTER-NETWORKSNL Estonia 15->44 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->24 dropped 26 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 15->26 dropped 28 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 15->28 dropped 30 45 other files (none is malicious) 15->30 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->46 48 Tries to steal Instant Messenger accounts or passwords 15->48 50 Tries to steal Mail credentials (via file access) 15->50 52 4 other signatures 15->52 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 05:06:09 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xx5ldu4i5a6dhvxq6bksex4befs74cn2qe2vtzjzxz5msfs6gpwq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
2dc919f5d220f45c43cf0de4399d30313ff6566b79e4f367e279a0bb71429b84
ModiLoader
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ModiLoader
3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d
ModiLoader
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
ModiLoader
4b183077cbfa209aab597f0cfe66178add15a0d590ba3abdf170ae708617bfef
ModiLoader
5b9ece9761c68e4a604443f7541a1de74282f19a49f347a56a9ea4f02855f866
ModiLoader
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
ModiLoader
b553eccde98f7d193d5518a765c8a22eb65dd5f29026c96045892c47525536de
ModiLoader
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
ModiLoader
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
ModiLoader
+ 518 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader infostealer family:azorult
Link:
https://tria.ge/reports/201007-k7fwa2wjra/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Azorult
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed
MD5 hash:
89030288488367f922bd3bac7797f58b
SHA1 hash:
f097a3805937b67630d4ef2dc417ebbeed10c4ee
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/3943c893-1fea-4387-bf03-5e8158e40984/
SH256 hash:
2651f6df9e81ffdb17684ae10520051248dc55570b1186111d4dd3d8c0894aef
MD5 hash:
235e77c7c57d75ac7d8dd725587870fc
SHA1 hash:
b90f416138eab375acaf9fd0de7d858e13c4f5ac
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/3943c893-1fea-4387-bf03-5e8158e40984/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 81630fa3f66577a60dcb2f78fb0e39f651ca8dd401bfa511d6de285a91e10939

ModiLoader

Executable exe bdfab1d388e83c33d6f0f055225f812165fe09ba813559e539be7ac9165e33ed

(this sample)

  
Dropped by
MD5 8cfd6b3dc20fb3cfd11a604c07db6f78
  
Dropped by
SHA256 81630fa3f66577a60dcb2f78fb0e39f651ca8dd401bfa511d6de285a91e10939
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68768/

Comments