MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc
SHA3-384 hash: 230d1533766c31b00832315334d6bd71079e908ffdc428440cb63c08395085e9fcf972b728b863bc70d5c1c46044a8b3
SHA1 hash: 04462a7145e71921fa5814213de5ac39cb79f04e
MD5 hash: 1ef671ebe0e5efd44cf05c630fbe9cb5
humanhash: moon-one-timing-gee
File name:zaproszenie policji.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:965'120 bytes
First seen:2020-10-19 13:23:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 319a8e5d178320ae582e370f06f62e46 (7 x ModiLoader, 4 x RemcosRAT)
ssdeep 12288:lY2jsH0s30vuwlPMSGUzoPLLJ3SSsD8O1suNn5IswLOQ:lzjm02wKazmLF6sO1A
Threatray 668 similar samples on MalwareBazaar
TLSH 66257E33B2925873D47329789D1B67A8BD3ABE002928B5463BF91C4C5F396413C7E297
Reporter abuse_ch
Tags:exe geo ModiLoader POL


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx1.e-tiger.net
Sending IP: 193.23.139.20
From: Policja <invitations@policja.pl>
Subject: Ostatnie zaproszenie od policji
Attachment: zaproszenie policji.iso (contains "zaproszenie policji.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72973/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Fareit-FZO47BEC7E4E109.19705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
AveMaria
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495510
Signature
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300226 Sample: zaproszenie policji.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AveMaria stealer 2->45 47 5 other signatures 2->47 8 Mymtdrv.exe 13 2->8         started        12 zaproszenie policji.exe 1 15 2->12         started        15 Mymtdrv.exe 13 2->15         started        process3 dnsIp4 55 Multi AV Scanner detection for dropped file 8->55 57 Writes to foreign memory regions 8->57 59 Allocates memory in foreign processes 8->59 17 ieinstal.exe 3 4 8->17         started        39 cdn.discordapp.com 162.159.135.233, 443, 49712, 49747 CLOUDFLARENETUS United States 12->39 35 C:\Users\user\AppData\Local\...\Mymtdrv.exe, PE32 12->35 dropped 61 Creates a thread in another existing process (thread injection) 12->61 63 Injects a PE file into a foreign processes 12->63 21 notepad.exe 4 12->21         started        23 ieinstal.exe 12->23         started        25 ieinstal.exe 1 15->25         started        file5 signatures6 process7 dnsIp8 37 efiigbo9.duckdns.org 91.193.75.34, 49751, 8833 DAVID_CRAIGGG Serbia 17->37 49 Increases the number of concurrent connection per server for Internet Explorer 17->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->51 53 Installs a global keyboard hook 17->53 27 cmd.exe 1 21->27         started        29 cmd.exe 1 21->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 10:30:22 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7eeobk5xz6a5b2hwmbgpbc7xdjbruqe2iqdtugs4kqvrtb7zzloa._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
411a64366a6b5b9e57bd06dcdccd377ea02d9ed7e8be0f290f0674e3d7ff3215
ModiLoader
4e420c5efeb26330ec4eb618426d859222b791798df3ae65c59fc20ef2f2889a
ModiLoader
52e8ebb47ae631081c6ac0ab78219951e8c7ac540e11b420e92d5df89ea719d7
ModiLoader
91292df65ea051a8cd7009382fb66c6b3fed39e8ddc3a27e38c990e2b69ea942
ModiLoader
a5e7f494eb61368332811160955db5ef4dc5f07e6e3fbc7d5c0776023d3714c0
ModiLoader
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
ModiLoader
df6b12e28602092e6841be50355a76684b5333b236cf9b8441dd73fc1abbf4ae
ModiLoader
e0e3ae47b7e48c3c81724d0a63f5f6f8033bb516d97c538ea52349a102a0e1b6
ModiLoader
fc4b29f54e0b3ed0493ba85310a2665ab47e5143f3cb3ce09686f0560dd1ed04
ModiLoader
ffa217c445af7f07f0c9fbdcc488db8e06ecfdb43906c6c5e7a11f7ac04b4bf4
ModiLoader
+ 658 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat infostealer family:warzonerat persistence trojan family:modiloader
Link:
https://tria.ge/reports/201019-vvp46gdy5a/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
ModiLoader Second Stage
Warzone RAT Payload
ServiceHost packer
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Unpacked files
SH256 hash:
f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc
MD5 hash:
1ef671ebe0e5efd44cf05c630fbe9cb5
SHA1 hash:
04462a7145e71921fa5814213de5ac39cb79f04e
Link:
https://www.unpac.me/results/16bbf4f5-b8c7-487d-b264-66c56d72e444/
SH256 hash:
197c4fd2875357024805d13b06f68d0895c9ca76ad08dfea28419ed6a2e6b34a
MD5 hash:
7e0e380137cf15350a36bebe9a5c5daf
SHA1 hash:
fb8f7f834078e9b647beedd47199a96d1df147df
Link:
https://www.unpac.me/results/16bbf4f5-b8c7-487d-b264-66c56d72e444/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 565880d9bdfd8b75c1712932687a7938cc93492de634b0c8ed11b6dbdc7b71f7

ModiLoader

Executable exe f908e0abb7cf81d0e8f6604cf08bf71a431a409a44073a1a5c542b1987f9cadc

(this sample)

  
Dropped by
MD5 bd65b94a1033e7c6d1994ab208c8a472
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72973/
  
Dropped by
SHA256 565880d9bdfd8b75c1712932687a7938cc93492de634b0c8ed11b6dbdc7b71f7

Comments