MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86
SHA3-384 hash: 209ac7cf5e6f6546cbf561e92c3620238369de2cafab2e8e6a018288c02c2fa3664b15e4a411050ccf9fa9edd8235b06
SHA1 hash: da417e9477c802b026aa530563a459adb51c9717
MD5 hash: f6ee56d33034e75411eba8141e3d78d6
humanhash: utah-shade-three-social
File name:Richiesta di ordine.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'060'184 bytes
First seen:2020-12-09 11:00:07 UTC
Last seen:2020-12-09 13:03:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b533f6ccb714ea0a0f83e1cff60dbfe0 (8 x ModiLoader, 2 x RemcosRAT)
ssdeep 24576:vklbZpRNhPXNH/yLjaKuOflEAE7D/cX+2hu0aQ:vkhRXNNKuOtEX/2vhuxQ
Threatray 393 similar samples on MalwareBazaar
TLSH 9235BFE3F2D1453EF5361570DD078675A828EE142E8E984627BE2E0C4F7D6C6380B99B
Reporter abuse_ch
Tags:exe geo ITA ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: MA Srl <ma@cartasiliconata.com>
Subject: ORDINE
Attachment: Richiesta di ordine.img (contains "Richiesta di ordine.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Richiesta di ordine.exe
Verdict:
Malicious activity
Analysis date:
2020-12-09 11:13:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73f95f3b-41de-44f9-949d-704049a6019f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107447/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Adware.Qjwmonkey-6892535-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558917
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328558 Sample: Richiesta di ordine.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Detected unpacking (changes PE section rights) 2->47 49 Detected unpacking (overwrites its own PE header) 2->49 51 5 other signatures 2->51 6 Wplpdrv.exe 13 2->6         started        10 Wplpdrv.exe 13 2->10         started        12 Richiesta di ordine.exe 1 15 2->12         started        process3 dnsIp4 61 Multi AV Scanner detection for dropped file 6->61 63 Detected unpacking (changes PE section rights) 6->63 65 Detected unpacking (overwrites its own PE header) 6->65 69 2 other signatures 6->69 15 Wplpdrv.exe 2 6->15         started        37 162.159.135.233, 443, 49726 CLOUDFLARENETUS United States 10->37 39 162.159.138.232, 443, 49725 CLOUDFLARENETUS United States 10->39 67 Injects a PE file into a foreign processes 10->67 17 Wplpdrv.exe 14 2 10->17         started        41 cdn.discordapp.com 162.159.133.233, 443, 49720, 49724 CLOUDFLARENETUS United States 12->41 43 discord.com 162.159.137.232, 443, 49719, 49723 CLOUDFLARENETUS United States 12->43 23 C:\Users\user\AppData\Local\...\Wplpdrv.exe, PE32 12->23 dropped 21 Richiesta di ordine.exe 15 2 12->21         started        file5 signatures6 process7 dnsIp8 25 54.243.164.148, 443, 49729 AMAZON-AESUS United States 17->25 27 nagano-19599.herokussl.com 17->27 29 api.ipify.org 17->29 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->53 55 Tries to steal Mail credentials (via file access) 17->55 57 Tries to harvest and steal ftp login credentials 17->57 59 Tries to harvest and steal browser information (history, passwords, etc) 17->59 31 api.telegram.org 149.154.167.220, 443, 49728, 49730 TELEGRAMRU United Kingdom 21->31 33 elb097307-934924932.us-east-1.elb.amazonaws.com 174.129.214.20, 443, 49727 AMAZON-AESUS United States 21->33 35 2 other IPs or domains 21->35 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 11:01:05 UTC
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2typlh4b375mfnlokvrxywrro33d2yhx3ivwaj33o7tyynv7wda._file
Verdict:
malicious
Similar samples:
0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
ModiLoader
08748788c6b5038ebd459dd1ca22636f8510231ccbe58c7e13725218ba599c63
ModiLoader
29c9884d02cba2c6ab0a72af878c9f1c2768d96b912f5847608fc040f5f98083
ModiLoader
2dae80e04d518be8a6e1659d53afd6aea2eecc35086db46b4dd0a701a4b6f812
ModiLoader
2e7e018ee5838bf8450f343923ba4ce6c1282ed1b727fc4ab5cbe69b6204fca2
ModiLoader
37cfb7fb31732401d50f7f17c28fbea5997ef4a7236ce89f37dc57675a76b23f
ModiLoader
911f245221b1aaa44c033afd587e3654c735d308cae006936fd79f42e93f5a2b
ModiLoader
99cf04b4681e23be9445dd54668231f52276645f4c263e4d2c1c730e7d264303
ModiLoader
c0442a7a63a5291b747e22a8e0eabe4abe3e344e6fbc3e4f1a0465895a29b5b2
ModiLoader
f862eb253778c7b1c35349d798736124d7ee97db446217b2e5962fe2431d1e46
ModiLoader
+ 383 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201209-26tfckvgnx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86
MD5 hash:
f6ee56d33034e75411eba8141e3d78d6
SHA1 hash:
da417e9477c802b026aa530563a459adb51c9717
Link:
https://www.unpac.me/results/f32aa8d4-f35f-4a64-8e41-a68a587c87ca/
SH256 hash:
cab1263911c15cff9a560e3476dea3fa21a032094b0a2b391638ceeaadd25edf
MD5 hash:
61ca5a1c2171e712fae2a9449694067d
SHA1 hash:
579c8943a7cc9b67558448750ab94897b78958fd
Link:
https://www.unpac.me/results/f32aa8d4-f35f-4a64-8e41-a68a587c87ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 9e2fc392cf176b8db0877c97cda7e6729a00fb99c0529f67781c30da3924bdcb

ModiLoader

Executable exe bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86

(this sample)

  
Dropped by
MD5 76c3f6725a6c7653e1f07e73a2414fd6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9e2fc392cf176b8db0877c97cda7e6729a00fb99c0529f67781c30da3924bdcb
Cape
Cape
https://www.capesandbox.com/analysis/107447/

Comments