MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfea5a7839b0a45d3e0074b6e3882ada8f6aa913cf7e0d08ba290a49af855596. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	bfea5a7839b0a45d3e0074b6e3882ada8f6aa913cf7e0d08ba290a49af855596
SHA3-384 hash:	be08b3bac42be1b0c0fb906e2e9ef14b2d2a522e4a11cb29f69e5d1c343927f904c95946bb616755b97a2c6e80bad3ba
SHA1 hash:	254d4e34dd8521ea883e7140b7adc9a9ef09145c
MD5 hash:	e0a4e6378c211f8584be6aea083c9743
humanhash:	april-island-venus-echo
File name:	INV#0595.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	642'596 bytes
First seen:	2020-08-14 10:57:55 UTC
Last seen:	2020-08-14 12:10:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3c3296483bcf5ae4d4fe975713cd576c (5 x ModiLoader, 4 x RemcosRAT)
ssdeep	12288:Zlzkeq7ndoWM+iaS91vvC0sNmtgHrF4j:ZW1ndQ+ihvzc/
Threatray	523 similar samples on MalwareBazaar
TLSH	77D46C23A1F17473C3161E388D5BABA8AC25FE143954ED4E6EE83D4C8E397813D6A057
Reporter	abuse_ch
Tags:	exe ModiLoader

abuse_ch

Malspam distributing ModiLoader:

HELO: poydorus.t.mk
Sending IP: 195.26.152.36
From: f.petrovski@bulmak2016.com.mk <f.petrovski@bulmak2016.com.mk>
Subject: Re: factura revisada
Attachment: INV0595.rar (contains "INV#0595.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45857/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Connection attempt

Setting a single autorun event

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/429534

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bfea5a7839b0a45d3e0074b6e3882ada8f6aa913cf7e0d08ba290a49af855596/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x7vfu6bzwcsf2pqaos3ohcbk3khwvkitz57a2cf2fefetl4fkwla._file

Verdict:

malicious

Label(s):

avemaria

Similar samples:

2634e0e8f1f3eee5db8142e6bd4e011d7200d05aa6e5dda8fdbb31cf1ceeda08

32dc5aca6f7a54f4755ff65364abf1334d054cf96f79b0d8dbc2a0657c5ec1c9

4159a61a7c0571bee10a33f8d05ef51de606960476f66a00efcced87680be615

57f4246d683336ab606ba5831ce88a0ff47a42de652f72795fe76169195821e1

8cfce52a39c18564723c94b57b95a4be0328bb75350e7c866ee5f674b94d26e0

916870a38403e12df5b99954ce22758d7faaec29d338ae29226709c56bcd3d30

b05a55df4340a0e19bfb17cf39220e2e5470e0f7b35af6e9f243d7674d728d07

b612173e75cc939bb718725850a57a1487095d863db268758b5ee0bf2463f89d

caadaf420eed8a87831e8e3c02a6720272a4de3e3eb08e0a3f35a16837a17383

e10450894577e9df3b4e27386d3fa386341cd8357b0016fa918a1fc004cd1e01

+ 513 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/200814-lk22vr2k22/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bfea5a7839b0a45d3e0074b6e3882ada8f6aa913cf7e0d08ba290a49af855596

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 0813c0ebc7092012c4dbfe613cdd7b3f52dc175a2ced5a9893ac0b17484881f8

exe bfea5a7839b0a45d3e0074b6e3882ada8f6aa913cf7e0d08ba290a49af855596

(this sample)

Dropped by

MD5 7fef9b35dc75bc140aff28c7c1cf0454

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/45857/

Dropped by

SHA256 0813c0ebc7092012c4dbfe613cdd7b3f52dc175a2ced5a9893ac0b17484881f8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample