MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b
SHA3-384 hash: b4aaf991f56090c22c51bd8097ac755b3269c1b52589f65afb1fdd51d3d569fbd6089a0b07fae1a13d1ce76f49840cf6
SHA1 hash: 94c3a6347e0c9d11057f6161aa2ae79d046cc8d3
MD5 hash: ed0625e721132eadaf39b66225b1ff28
humanhash: mirror-red-johnny-hydrogen
File name:order-33738.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:738'088 bytes
First seen:2020-12-24 09:29:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fe9a21f0eaacd42b3f42bdd72bc37cf (5 x ModiLoader)
ssdeep 12288:qsaXPocWk0vDvWHuHxJ+nEDZZE8NVbKCJU1sWaa0zZbzro161111GGRa1:qffo/vDvWHCxIEDsCdNJ61611117M1
Threatray 680 similar samples on MalwareBazaar
TLSH D4F49D22A3915837C0771D799C1B96A0DC3BBE113D28AA5AEBF51F8C5F3426139371A3
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: mail.groenewold-newmedia.de
Sending IP: 78.47.22.93
From: Mirrasoul Hosseini<andia@groenewold-newmedia.de>
Subject: urgent order
Attachment: order-33738.rar (contains "order-33738.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
989
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order-33738.exe
Verdict:
Malicious activity
Analysis date:
2020-12-24 09:31:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb7cf146-ede9-4a4c-a892-0df868778fa6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109327/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Backdoor.Win32.Rescoms.KD.17566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
9
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569662
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333889 Sample: order-33738.exe Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AveMaria stealer 2->41 43 6 other signatures 2->43 6 order-33738.exe 1 16 2->6         started        11 Xcbzest.exe 14 2->11         started        13 Xcbzest.exe 13 2->13         started        process3 dnsIp4 25 discord.com 162.159.128.233, 443, 49748 CLOUDFLARENETUS United States 6->25 27 cdn.discordapp.com 162.159.135.233, 443, 49749, 49754 CLOUDFLARENETUS United States 6->27 23 C:\Users\user\AppData\Local\...\Xcbzest.exe, PE32 6->23 dropped 45 Writes to foreign memory regions 6->45 47 Allocates memory in foreign processes 6->47 49 Injects a PE file into a foreign processes 6->49 15 ieinstal.exe 3 2 6->15         started        29 162.159.137.232, 443, 49753, 49759 CLOUDFLARENETUS United States 11->29 51 Multi AV Scanner detection for dropped file 11->51 19 ieinstal.exe 11->19         started        21 ieinstal.exe 13->21         started        file5 signatures6 process7 dnsIp8 31 commz.ddns.net 207.32.219.71, 3601 1GSERVERSUS United States 15->31 33 Increases the number of concurrent connection per server for Internet Explorer 15->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->35 signatures9
Detection:
avemaria
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 11:26:27 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bnoqmchymbgq477cr7cw3tkogvts3jd52gjgrvsovobnj3wo5fq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
26cb5d17b635e301745c56300a842e86e30bd871bbe945a639b767c75687a579
ModiLoader
424f9c5a1a18e8761ab0e7c549bd7a8d9d5c5824dcb4c812d8f3fa6cd5ed756e
ModiLoader
6c483817d7c95cd3ac3be070d84f1647b938ad3341f7b4854924a77892507af8
ModiLoader
88cd6b3cae21bbdf028d5fee94c3552ecc427043b70b8407e9f936857c637ee5
ModiLoader
a0792945510f126714a42e9b4cef8b7e8d7aab504772b076c6df0a4e96f08e89
ModiLoader
ac5014e95dfb4de821b8aa9d0b8ee50c8b46f9430d4224c394d349ac757ed52d
ModiLoader
b50f9caa6df41cf34a52f45f989dc38ba037fd68535f6d7015fe602c826b0c1c
ModiLoader
c805a81435618323cd34e9729b058df78e9c496d1d6c752cc3e5c7cb30f26613
ModiLoader
de966245d2120df80add0bc610965487383a27ca6434abb2a41d3fb6447ee0cf
ModiLoader
ffa217c445af7f07f0c9fbdcc488db8e06ecfdb43906c6c5e7a11f7ac04b4bf4
ModiLoader
+ 670 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/201224-m122319xaa/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Warzone RAT Payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
51edc1ef4887a9008639ce7fdb2f41904b563035902d58d007be193cf329c5a6
MD5 hash:
ca1ff0369508dbe2a98835d5b8667bb5
SHA1 hash:
31fa0c2bdc201c9db7e3b32dd4458170c932c103
Link:
https://www.unpac.me/results/dfc92aea-a960-45db-8981-60d60ee500cd/
SH256 hash:
e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b
MD5 hash:
ed0625e721132eadaf39b66225b1ff28
SHA1 hash:
94c3a6347e0c9d11057f6161aa2ae79d046cc8d3
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/dfc92aea-a960-45db-8981-60d60ee500cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar e201e3fd100fc74e6b38166373cda36bb78bab814075f9dadcfd33572491fcc8

ModiLoader

Executable exe e05ae83047c3026873ff147e2b6e6a71ab396d23ee8c9346b2755c16a776774b

(this sample)

  
Dropped by
MD5 9988e18563ae0aa74fdff51754c3245f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e201e3fd100fc74e6b38166373cda36bb78bab814075f9dadcfd33572491fcc8
Cape
Cape
https://www.capesandbox.com/analysis/109327/

Comments