MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1cc00d3cbcab395fd825729c328898cd832ebde183c616c1bece606f07e80d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1cc00d3cbcab395fd825729c328898cd832ebde183c616c1bece606f07e80d7
SHA3-384 hash: 8d74bc4eb29aab1522f844f1aa356da65b6b8f8a8b06e38a90acae6185316f195bb46cec1950b8e8beb75515616ebfaf
SHA1 hash: 6a540e7acf25a5992961b6b8a831e085680c0bd7
MD5 hash: aebeb7b1a23449b44195814dda4fb002
humanhash: tango-violet-winner-solar
File name:aebeb7b1a23449b44195814dda4fb002.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:743'104 bytes
First seen:2020-12-09 10:37:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 084ab79676b5b0cc1ffaebcdcfdd0387 (2 x ModiLoader, 1 x Formbook)
ssdeep 12288:TYFnichEklZ6BuDkVHRN1azVxGfhL7XqZA4Iw7uiKcnq0fzWrvlZ7gT:sichjZ6UYVHRN+fwhqpptfsvv7i
Threatray 391 similar samples on MalwareBazaar
TLSH 03F4AE22F3B14EBBD12B073DDE1FD5E8AC28BF102D5858467AE85D0C4E3A7867825167
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aebeb7b1a23449b44195814dda4fb002.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-09 11:03:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/746e7172-4bad-4df5-b0fc-5ea93d77f638

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107431/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Jacard.206074.21298.9473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558873
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 328534 Sample: Bys0IOPHaw.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 100 15 g.msn.com 2->15 27 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected AgentTesla 2->31 33 May check the online IP address of the machine 2->33 7 Bys0IOPHaw.exe 14 2->7         started        signatures3 process4 dnsIp5 17 discord.com 162.159.128.233, 443, 49717 CLOUDFLARENETUS United States 7->17 19 cdn.discordapp.com 162.159.129.233, 443, 49718 CLOUDFLARENETUS United States 7->19 35 Detected unpacking (changes PE section rights) 7->35 37 Detected unpacking (overwrites its own PE header) 7->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 2 other signatures 7->41 11 Bys0IOPHaw.exe 15 6 7->11         started        signatures6 process7 dnsIp8 21 ftp.kunwersachdev.com 216.10.249.157, 21, 49746, 49747 PUBLIC-DOMAIN-REGISTRYUS India 11->21 23 elb097307-934924932.us-east-1.elb.amazonaws.com 50.19.252.36, 443, 49745 AMAZON-AESUS United States 11->23 25 3 other IPs or domains 11->25 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1cc00d3cbcab395fd825729c328898cd832ebde183c616c1bece606f07e80d7/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 23:38:33 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hgabu6lzkzzl7mck4u4gkejrtmdf266da6gc3a35ttan4d6qdlq._file
Verdict:
malicious
Similar samples:
1b13660c52adcccc1cef45f137a3373f5615500a609c61a9872e5ed4336e629a
ModiLoader
1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897
ModiLoader
3a5943219f8400531a411b909b666337ba4f232d19e003a0128e0d699106f04f
ModiLoader
4ca2c3d8f5fabdbda0cc20c90af7f04b2a09f921e7e81a922ccefa6a3600cea6
ModiLoader
6b821b358a92094bf1218d5a455e7205efeda83a4b4247d010a86b77e284ee75
ModiLoader
95aee7e64808e12f340834e6b49c3541c1e5e0b3a1ff1fcd7eb2591a83b619fb
ModiLoader
a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86
ModiLoader
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
ModiLoader
+ 381 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201209-nmjedrwbg2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e1cc00d3cbcab395fd825729c328898cd832ebde183c616c1bece606f07e80d7
MD5 hash:
aebeb7b1a23449b44195814dda4fb002
SHA1 hash:
6a540e7acf25a5992961b6b8a831e085680c0bd7
Link:
https://www.unpac.me/results/6de6b6a7-3d5f-4a63-84a8-b16b753cb870/
SH256 hash:
118e4551ac31bdc92e5a34c3069d5b2d8efe60ac58adc83bf2e5ee8a50b5a738
MD5 hash:
fea7f670d5ae5104140e571e68ce91c5
SHA1 hash:
e53bf1b051f2bd122b0781ef818447bcb2c09207
Link:
https://www.unpac.me/results/6de6b6a7-3d5f-4a63-84a8-b16b753cb870/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e1cc00d3cbcab395fd825729c328898cd832ebde183c616c1bece606f07e80d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe e1cc00d3cbcab395fd825729c328898cd832ebde183c616c1bece606f07e80d7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/900704/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107431/

Comments