MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e579f0cbcd8b01706f579a62590b56037c8a01492de2313fa007829730f73830. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e579f0cbcd8b01706f579a62590b56037c8a01492de2313fa007829730f73830
SHA3-384 hash: 08cf5cc35b9c4818fcbc9e1c8b1a5d11c6703628f4361d9f46230ba2a45b20add61329ecf78fe0c9b5a5e9a2c1232edc
SHA1 hash: 13cb7bfabfc25c8a998c4b7ff4588a5caf853be9
MD5 hash: d869bd31f4ab93412ff70f8348a97285
humanhash: mockingbird-sink-magazine-louisiana
File name:d869bd31f4ab93412ff70f8348a97285.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:741'632 bytes
First seen:2020-12-16 08:03:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fe9a21f0eaacd42b3f42bdd72bc37cf (5 x ModiLoader)
ssdeep 12288:MsaXPocWk0vDvWHuHxJ+nEDZZE8NVbKCJU1sWaa0zZbzro161111UGRaaK:Mffo/vDvWHCxIEDsCdNJ6161111hMaK
Threatray 508 similar samples on MalwareBazaar
TLSH EBF49E22A3A14437C0771D789C1B92A4DC3BBE113D28A95AEBF51F8C5F346617A371A3
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d869bd31f4ab93412ff70f8348a97285.exe
Verdict:
Malicious activity
Analysis date:
2020-12-16 08:06:03 UTC
Tags:
stealer trojan isrstealer
Link:
https://app.any.run/tasks/63c7e266-eee0-4365-a1c9-afc96d071e3e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108263/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file in the %temp% directory
Deleting a recently created file
Searching for the window
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ISRStealer MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/564043
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected ISRStealer
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e579f0cbcd8b01706f579a62590b56037c8a01492de2313fa007829730f73830/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 08:04:06 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4v47bs6nrmaxa32xtjrfsc2wan6iuakjfxrdcp5aa6bjomhxhaya._file
Verdict:
malicious
Similar samples:
09abaa1b12ae6d7ed845027756e8852a39ac0a75fecf53f76c08ce48bdf58b91
ModiLoader
3d8446f1830a6a01787788c3e3348ad30d2f29eab13f9ec4f5974d947a3a0f76
ModiLoader
64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
ModiLoader
973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea
ModiLoader
9fdaeab4153639b870fcb0522b1e0801aceb515e51b20603a1413086a82825bf
ModiLoader
d265fcb40a443162e0da3274ca4a0c81418c12756b929b29f34688abddae01b5
ModiLoader
deded63af4667df3096566d615f3bf6d7d908e189ae4689efdc777f441917974
ModiLoader
e2842ccca2aa0d0ad397af687936f09c819f4329c523af263ec058003bbc8497
ModiLoader
e81b7365448d43584265f438b0291abdc8985c12f8b27246e8424ef941995f10
ModiLoader
f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148
ModiLoader
+ 498 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201216-a5w9gpms76/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
e579f0cbcd8b01706f579a62590b56037c8a01492de2313fa007829730f73830
MD5 hash:
d869bd31f4ab93412ff70f8348a97285
SHA1 hash:
13cb7bfabfc25c8a998c4b7ff4588a5caf853be9
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/72abff3e-5721-425b-9903-5bf2c4f00a16/
SH256 hash:
1b073e5a91920640621dfc236f7f234d404f5107c40ac8517d0beadc44e991c0
MD5 hash:
c3dc40d837f1ba49ad4598295f5297f2
SHA1 hash:
e0672bdec803e5f3545ffaf5c4496942eaf1abe8
Link:
https://www.unpac.me/results/72abff3e-5721-425b-9903-5bf2c4f00a16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e579f0cbcd8b01706f579a62590b56037c8a01492de2313fa007829730f73830

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe e579f0cbcd8b01706f579a62590b56037c8a01492de2313fa007829730f73830

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/918648/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108263/

Comments