MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec10b9e4b89941d8803e3082f6d0180f08a94f7a935fb1efffdb1b9eefd76965. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec10b9e4b89941d8803e3082f6d0180f08a94f7a935fb1efffdb1b9eefd76965
SHA3-384 hash: f50f27ccda5fe6bfa7ca3c5191666fa7ec5f8fcfc5f470ff950ad0f73b6334a3bfa7ea8d5ddf4075e2071bb58f7b22ae
SHA1 hash: 83a895fb74929ed820a39d0d4752e0c3dcb3a913
MD5 hash: c136e024602cd79f3496d006d77c8759
humanhash: bluebird-eleven-apart-muppet
File name:c136e024602cd79f3496d006d77c8759.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:76'288 bytes
First seen:2021-11-21 16:01:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:BQuSLLc6bzSroRVCa0QCrRa81MfD4aM+mg49o:B0E6btVB0Qwa81gD4Wmg49
Threatray 24 similar samples on MalwareBazaar
TLSH T19B73E8D526593849CC97857DEC0373C1392E3F6F9888E7A464857E0B6EBF02ADB06E05
File icon (PE):PE icon
dhash icon 00ccdcd8d8fcf000 (1 x ModiLoader)
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c136e024602cd79f3496d006d77c8759.exe
Verdict:
Malicious activity
Analysis date:
2021-11-21 16:35:23 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/bbc23735-c5b9-4fb1-885f-cac8b570555f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619a6d82dd04e7d00e010079/reports/776dd149-90c3-40a0-b8cb-13e7015df6d2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FormGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1dd4b597-ab69-4242-a6c8-a1e58106caae
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/893348
Signature
Contains functionality to infect the boot sector
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525821 Sample: ZHB8dDP6YW.exe Startdate: 21/11/2021 Architecture: WINDOWS Score: 68 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 7 ZHB8dDP6YW.exe 15 5 2->7         started        process3 dnsIp4 32 kmsauto.us 104.21.36.90, 443, 49769 CLOUDFLARENETUS United States 7->32 26 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\...\ZHB8dDP6YW.exe.log, ASCII 7->28 dropped 11 aspnet_compiler.exe 7->11         started        15 cmd.exe 1 7->15         started        17 cmd.exe 1 7->17         started        file5 process6 dnsIp7 34 3.17.60.122, 49770, 49771, 49772 AMAZON-02US United States 11->34 42 Contains functionality to infect the boot sector 11->42 44 Uses ping.exe to check the status of other devices and networks 15->44 19 PING.EXE 1 15->19         started        22 conhost.exe 15->22         started        24 conhost.exe 17->24         started        signatures8 process9 dnsIp10 30 youtube.com 172.217.168.46 GOOGLEUS United States 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec10b9e4b89941d8803e3082f6d0180f08a94f7a935fb1efffdb1b9eefd76965/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 16:02:08 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
189dfc7eca70dc08e242e9079d35198826b189f27e919aaf13c4482a763ae1a3
ModiLoader
2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68
ModiLoader
3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf
ModiLoader
3b7b846373c9e626c33e2561a6ff5515a67f25dc089f6e62711e792572105a17
ModiLoader
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
ModiLoader
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
ModiLoader
73b2da5f6faf24a5ab452699c277de166e2daf0a6b1b54c24f826004d9d09cc7
ModiLoader
a1b2f18b48cbae1df244f074c9a7f1ccfd369aeb981c6a4964b36d5d9e0c487c
ModiLoader
b2f7094f521419809d946a68870b02bdd3a928c5a4d57ccdaea3b8f49bb96151
ModiLoader
e37fafdd25f747743179e4b4a444b6c30767c727f343a20b7b3f2d09eaf3d485
ModiLoader
+ 14 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader bootkit persistence suricata trojan
Link:
https://tria.ge/reports/211121-tgsjzsebar/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Executes dropped EXE
ModiLoader First Stage
ModiLoader, DBatLoader
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
Unpacked files
SH256 hash:
ec10b9e4b89941d8803e3082f6d0180f08a94f7a935fb1efffdb1b9eefd76965
MD5 hash:
c136e024602cd79f3496d006d77c8759
SHA1 hash:
83a895fb74929ed820a39d0d4752e0c3dcb3a913
Link:
https://www.unpac.me/results/217c55d4-4950-469e-bc4e-2817c689da29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ec10b9e4b89941d8803e3082f6d0180f08a94f7a935fb1efffdb1b9eefd76965

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe ec10b9e4b89941d8803e3082f6d0180f08a94f7a935fb1efffdb1b9eefd76965

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1786549/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1786472/
Cape
Cape
https://www.capesandbox.com/analysis/207926/

Comments