MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5
SHA3-384 hash: 35d5a8359468b5b885a9af1d7412040e31f65aeaf3b78d0a9376b3f6df4789ec05dd9c205c48fe97a9b103f6a8bcd8f5
SHA1 hash: d11b52a377728a43b499cdef097ab346f16dcc6c
MD5 hash: 6d9494036a51433ee4b3253560e1f816
humanhash: twelve-quiet-sodium-colorado
File name:Bejhqfe_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'050'776 bytes
First seen:2020-10-15 12:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:9FT7lBs40jT0sUbtpW/nAOPq3Sp58nn7nLT6USE/7LYUx5t8SH1V:9vBsxTEi5K7nLT6USE/7kUPtF
Threatray 382 similar samples on MalwareBazaar
TLSH A525CF31F3E2CA36F25315318C2B57B9A532BE002924945A76E63C4DAE367F079792D3
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71386/
Detection(s):
SecuriteInfo.com.Artemis5F81083596A0.8651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Deleting a recently created file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
Azorult
Create hunting rule
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492435
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298710 Sample: Bejhqfe_Signed_.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected Azorult 2->66 68 4 other signatures 2->68 8 Bejhqfe_Signed_.exe 1 15 2->8         started        13 Bejhdrv.exe 13 2->13         started        15 Bejhdrv.exe 13 2->15         started        process3 dnsIp4 54 cdn.discordapp.com 162.159.130.233, 443, 49743, 49761 CLOUDFLARENETUS United States 8->54 56 discord.com 162.159.135.232, 443, 49740, 49741 CLOUDFLARENETUS United States 8->56 48 C:\Users\user\AppData\Local\...\Bejhdrv.exe, PE32 8->48 dropped 78 Detected unpacking (changes PE section rights) 8->78 80 Writes to foreign memory regions 8->80 82 Allocates memory in foreign processes 8->82 84 Creates a thread in another existing process (thread injection) 8->84 17 Bejhqfe_Signed_.exe 66 8->17         started        22 notepad.exe 4 8->22         started        86 Multi AV Scanner detection for dropped file 13->86 88 Injects a PE file into a foreign processes 13->88 24 Bejhdrv.exe 12 13->24         started        58 162.159.133.233, 443, 49765 CLOUDFLARENETUS United States 15->58 60 162.159.136.232, 443, 49763, 49764 CLOUDFLARENETUS United States 15->60 26 Bejhdrv.exe 15->26         started        file5 signatures6 process7 dnsIp8 50 itrad3r.com 194.180.224.87, 443, 49757, 49762 REBECCAHOSTUS unknown 17->50 52 192.168.2.1 unknown unknown 17->52 38 C:\Users\user\AppData\...\vcruntime140.dll, PE32 17->38 dropped 40 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 17->40 dropped 42 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 17->42 dropped 46 45 other files (none is malicious) 17->46 dropped 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->70 72 Tries to steal Instant Messenger accounts or passwords 17->72 74 Tries to steal Mail credentials (via file access) 17->74 76 4 other signatures 17->76 44 C:\Users\Public44atso.bat, ASCII 22->44 dropped 28 cmd.exe 1 22->28         started        30 cmd.exe 1 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 28->32         started        34 reg.exe 1 1 28->34         started        36 conhost.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 11:00:51 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jb5th27cwqpoydz4hjmgxkvk36y75jhdashqklejq2bcira2d2q._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
06b81a3d40c9f00bbe9f0f64a962bea487772d6275f66162375c0b53b71b8d44
ModiLoader
1224ec1bfaa54c419bc8d701cd22c6d43f5c204a2d287a16e4eaebcc863c7572
ModiLoader
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
ModiLoader
6e3d344af8c112b08250ac66287871145be753315dae86e7b879747aa3e91fe9
ModiLoader
8134e9aaeee2160899ff6995b0d97a1742eda48124ff8cebaa4b2f65b2e8b153
ModiLoader
8333ba5146dd7f8dde824afe13e0bf988566027dbfcf239f06fd709115db68d7
ModiLoader
a0ac0b34898186c8e9400fe4e2fa71a228b455a9fce6d9261fe3c9d062d028f5
ModiLoader
b7adfa62dab78ee0a3b1f52cee4f2edaf8f4b5f2ed866153884d4dc8519a8485
ModiLoader
c8dda41b34e9b16da333bfa30653a6f46be67c657158ecfd2c0463903b01e54d
ModiLoader
f6b7e42150aea95c6af1e8c570ca45fac6e7e7dc2b27a88cae25fbc92faa07ff
ModiLoader
+ 372 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan family:modiloader infostealer family:azorult discovery
Link:
https://tria.ge/reports/201015-qrml3nxdpe/
Behaviour
Checks processor information in registry
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
Azorult
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5
MD5 hash:
6d9494036a51433ee4b3253560e1f816
SHA1 hash:
d11b52a377728a43b499cdef097ab346f16dcc6c
Link:
https://www.unpac.me/results/9a638d1d-6e92-4959-bec8-a34ecdf184c3/
SH256 hash:
c1ddc6a897016b643c784da36d0c83c3de1a06012c06f1834095ddd802f50cf0
MD5 hash:
f7cfb109e6955b5d726f91cb9fb80a27
SHA1 hash:
bcf33b5d1cc6005de8189bd1a89a7dac9a214831
Link:
https://www.unpac.me/results/9a638d1d-6e92-4959-bec8-a34ecdf184c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe fa43d99f5f15a0f76079e1d2c35d5556fd8ff52718247829644c34112220d0f5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71386/

Comments