MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d
SHA3-384 hash: 86b7a70bd479bf627e09277ccc62ecab553435f6aa042ea73da4584b90064b001a3276d7d3c542d7580a66c4882810f1
SHA1 hash: 1ffe13bd73cf63b6ee0b6401cefd905a24cbb8a3
MD5 hash: 60c579a32e2cc16c804692018a64fa84
humanhash: delta-magazine-paris-river
File name:Doc00118871655141998.scr
Download: download sample
Signature ModiLoader
Create hunting rule
File size:973'736 bytes
First seen:2020-12-26 08:09:30 UTC
Last seen:2020-12-26 09:37:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c39dea9b0451fb5bd19bdd2775e8629 (1 x ModiLoader)
ssdeep 12288:3ktJiYAb4e6ru732S0W9Xfnv3ZhM7wISwiscMnwUKE0C:3GJNt8NNZ3742VUCC
Threatray 1'017 similar samples on MalwareBazaar
TLSH 77253921227884B7E13DED368BDD93DC4D9C2D1D19792409B2AE79B8DB3F143A4391CA
Reporter abuse_ch
Tags:ModiLoader scr


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: smtprelay.hostedemail.com
Sending IP: 216.40.44.243
From: Build-Mate PLC <eorder@buildmate.com.sg>
Subject: Build-Mate PLC- Please Advise on Availability of Enclosed PO
Attachment: Doc00118871655141998.img (contains "Doc00118871655141998.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
545
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Doc00118871655141998.scr
Verdict:
Malicious activity
Analysis date:
2020-12-26 08:10:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3250c94f-406f-47aa-a807-c098ddbc59c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109477/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570156
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334137 Sample: Doc00118871655141998.scr Startdate: 26/12/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->45 47 Yara detected AveMaria stealer 2->47 49 6 other signatures 2->49 6 Doc00118871655141998.exe 1 16 2->6         started        11 Draodvst.exe 14 2->11         started        13 Draodvst.exe 13 2->13         started        process3 dnsIp4 25 cdn.discordapp.com 162.159.134.233, 443, 49716 CLOUDFLARENETUS United States 6->25 27 discord.com 162.159.136.232, 443, 49715 CLOUDFLARENETUS United States 6->27 23 C:\Users\user\AppData\Local\...\Draodvst.exe, PE32 6->23 dropped 51 Writes to foreign memory regions 6->51 53 Allocates memory in foreign processes 6->53 55 Creates a thread in another existing process (thread injection) 6->55 15 ieinstal.exe 3 2 6->15         started        29 162.159.135.232, 443, 49731, 49736 CLOUDFLARENETUS United States 11->29 31 162.159.135.233, 443, 49734 CLOUDFLARENETUS United States 11->31 57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 19 ieinstal.exe 1 11->19         started        33 162.159.133.233, 443, 49737 CLOUDFLARENETUS United States 13->33 35 192.168.2.1 unknown unknown 13->35 21 ieinstal.exe 1 13->21         started        file5 signatures6 process7 dnsIp8 37 xchilogs.duckdns.org 54.37.160.157, 5893 OVHFR France 15->37 39 Increases the number of concurrent connection per server for Internet Explorer 15->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-12-26 08:10:08 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3iy4alaaj57aiqen5jsctq3cwsdqzb5jt6zk5cwodwwcact7zzoq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
122ef85900670d4776f3afdbe676d59c23c4cd9944b9d392eb9a446b3bb40dde
ModiLoader
5cbed2f8a5fdadbd99816c4c8792bd51a2db7479f80bf70409f0f257f942d0c9
ModiLoader
803ed954a2fbfa36e1b154d7b1b6b270021eb72583d5a876e5aaedd728c39cc7
ModiLoader
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
ModiLoader
9c63d0166ebe40cb15a0754ed2902a9f076c81a0f5c7deafe74d9916d3d7a28a
ModiLoader
9f5afe868a8dd23926e807303d8896b239b802a3c366e448f4c59a103540019f
ModiLoader
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
ModiLoader
e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b
ModiLoader
e4769506e482cbdbaeae35eb657e75cfb941ab66253770896493666b023851a5
ModiLoader
f69faea7165ab34da776a4afaeb59a46c6061f58d431bc231bbab76db9e2ec4c
ModiLoader
+ 1'007 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/201226-zhr2l3hjj6/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader First Stage
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d
MD5 hash:
60c579a32e2cc16c804692018a64fa84
SHA1 hash:
1ffe13bd73cf63b6ee0b6401cefd905a24cbb8a3
Link:
https://www.unpac.me/results/fbe132e0-32db-4cbd-a29a-3f8ae4748de6/
SH256 hash:
87dacc4715da9b9bb9bd77881af22c6ea353c95e97fc779fd0798ef2acf667e8
MD5 hash:
c48129cb756c33cff2b1d53c97e33b10
SHA1 hash:
a8827d97dde1662f1dff203ec4455573d9337ad6
Link:
https://www.unpac.me/results/fbe132e0-32db-4cbd-a29a-3f8ae4748de6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 913254b45e54bde9abe1d3873b351d38a3e87d8fa0f2b32488146ec1da73e85b

ModiLoader

Executable exe da31c02c004f7e04408dea6429c362b4870c87a99fb2ae8ace1dac200a7fce5d

(this sample)

  
Dropped by
MD5 a33624c9452c3e04d283805f55365a8a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 913254b45e54bde9abe1d3873b351d38a3e87d8fa0f2b32488146ec1da73e85b
Cape
Cape
https://www.capesandbox.com/analysis/109477/

Comments