MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850
SHA3-384 hash: eca289c5abc13ef9b3eb9c436054dce151b370f92d905cb91ce0843e45883ed47b2ec3f9103866dd66f6bd3698964177
SHA1 hash: eaa29599c43d4a14f7c7105ddb920b3525f5c002
MD5 hash: bb012d0bd5fc7d359e5a14f78abe40d2
humanhash: angel-three-march-emma
File name:Szrgpwd_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'050'776 bytes
First seen:2020-10-15 17:21:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a31ea16644ced8e431e2fe203a7b0361 (15 x ModiLoader, 4 x Loki, 1 x RemcosRAT)
ssdeep 24576:9FT7lBs40jT0sUbtpW/nAOPq3Sp58Sn7nLT6USE/7LYUx5t8SH1V:9vBsxTEi5r7nLT6USE/7kUPtF
Threatray 348 similar samples on MalwareBazaar
TLSH 1225CF31F3E2CA36E2521531CC2B5BB9A532BE001924945A76E63C4DAF367F079792D3
Reporter abuse_ch
Tags:DHL exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: localhost
Sending IP: 89.248.168.148
From: DHL Express Service<deliveries@dhl.com>
Subject: Dhl Packages
Attachment: DHL Shipment_15.10.20_pdf.gz (contains "Szrgpwd_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71551/
Detection(s):
SecuriteInfo.com.Artemis5F81083596A0.8651.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492877
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298894 Sample: Szrgpwd_Signed_.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 8 Szrgpwd_Signed_.exe 1 15 2->8         started        13 Szrgdrv.exe 13 2->13         started        15 Szrgdrv.exe 14 2->15         started        process3 dnsIp4 37 cdn.discordapp.com 162.159.129.233, 443, 49731 CLOUDFLARENETUS United States 8->37 39 discord.com 162.159.136.232, 443, 49728, 49729 CLOUDFLARENETUS United States 8->39 35 C:\Users\user\AppData\Local\...\Szrgdrv.exe, PE32 8->35 dropped 51 Detected unpacking (changes PE section rights) 8->51 53 Detected unpacking (overwrites its own PE header) 8->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->55 63 3 other signatures 8->63 17 Szrgpwd_Signed_.exe 2 8->17         started        20 notepad.exe 4 8->20         started        41 162.159.133.233, 443, 49751, 49754 CLOUDFLARENETUS United States 13->41 57 Multi AV Scanner detection for dropped file 13->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->59 61 Injects a PE file into a foreign processes 13->61 22 Szrgdrv.exe 2 13->22         started        43 162.159.138.232, 443, 49752, 49753 CLOUDFLARENETUS United States 15->43 file5 signatures6 process7 file8 45 Modifies the hosts file 17->45 25 cmd.exe 1 20->25         started        27 cmd.exe 1 20->27         started        33 C:\Windows\System32\drivers\etc\hosts, ASCII 22->33 dropped signatures9 process10 process11 29 conhost.exe 25->29         started        31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 15:05:02 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jwcrjnbs3p7nvtsia2cw4tnhohxgpxjwgt3ubfflesr63emjbia._file
Verdict:
malicious
Similar samples:
44959082a4d86b4b782a2d860658e304025d34863398da161e39ba57a7e2c4fd
ModiLoader
47d694226b7f034e868ded9f3ebc12b1afbf9bbccb791f4a98c61955f10efa19
ModiLoader
72427a1ab5dbf3e5c6d4f297ec33becb68bc39d1c8446f98c47d1560f6371a3a
ModiLoader
855eaf42f771f65f72f7457ba7eb8e4f5ab99b7bc43fbb2fa1528820c2e01200
ModiLoader
b44ef524ef77ea1ee0bcb7096b328f6f94a4621df0d15114e8ff43e83483bbc6
ModiLoader
bbadca576aa54abfd18784a5cdb2e100530ae50092d5c240e08b5c0afa5c66b4
ModiLoader
bd86ba6f082dfd404bc2f3544f5b39ce04084742b334ab00a80f0c12c94daa46
ModiLoader
ce30dea0b1d4fa181753600eb63c1d2f1a7de1bd848dcdbe196f6a35afef0ea9
ModiLoader
e14db11b2e852dcb17a2a9315aad77e48ef906ae85042a3edf667611898dc77c
ModiLoader
e8094459a8fbcf684a411188c294898454be6db6b3cf31185e346e8cd705744e
ModiLoader
+ 338 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:modiloader
Link:
https://tria.ge/reports/201015-7yhpfcs7ax/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850
MD5 hash:
bb012d0bd5fc7d359e5a14f78abe40d2
SHA1 hash:
eaa29599c43d4a14f7c7105ddb920b3525f5c002
Link:
https://www.unpac.me/results/27675d59-fc42-4e6c-b232-12b23a255f93/
SH256 hash:
192b5b5259b3c2d3db77a6620acc376f3ca462dee223ef02a494e0cf9a6d8ffa
MD5 hash:
cf3aefc5b06a1cc489290ad66702cf39
SHA1 hash:
b3dfa447c9d84c9e0625e4856c476d45a7a53cfc
Link:
https://www.unpac.me/results/27675d59-fc42-4e6c-b232-12b23a255f93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

gz d496b4447d60dbc90a2db6962afc3b1a0a385e1333a0c2e0fa0aff3f5f695a18

ModiLoader

Executable exe fa6c28a5a196dff6d67240342b726d3b8f733ee9b1a7ba04a559251f6c8c4850

(this sample)

  
Dropped by
MD5 2219142ea1bf2aaaa8142a1a6d567a79
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71551/
  
Dropped by
SHA256 d496b4447d60dbc90a2db6962afc3b1a0a385e1333a0c2e0fa0aff3f5f695a18

Comments