MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
SHA3-384 hash: 6cfcf9889aa40872749f221847d7cf50bed32f8dadcfffcc5c892a5c699cbe4dc47aa9faf81797eaf4f71066cf7d9ef7
SHA1 hash: 33f678a5a83d4b3a22fb86a7cb81ae1dfdc8c8d5
MD5 hash: c60aa6ca33dc49630ed8139d80d94d9d
humanhash: paris-kitten-kitten-crazy
File name:fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'257'200 bytes
First seen:2020-10-19 09:52:33 UTC
Last seen:2020-10-19 10:04:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a011f8d93026fd9f5e9442faeeff606d (8 x RedLineStealer, 2 x ModiLoader, 1 x ServHelper)
ssdeep 24576:Kjyfe1E26yJ2NubMl9qedsRRhTTOz3BgP3BFa+wIw1+SsUgdhd:nfM6yJ6qPRhezM32+wIWAHd
Threatray 43 similar samples on MalwareBazaar
TLSH 32452303F3C984FAE0B2197184A93FD687B1EE29875055C7B78CB6095B39BD2953C70A
Reporter JAMESWT_WT
Tags:Incar LLC ModiLoader

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 370 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Delf
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72837/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/495156
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300032 Sample: UeC811yBoS Startdate: 19/10/2020 Architecture: WINDOWS Score: 60 64 Multi AV Scanner detection for submitted file 2->64 66 Sigma detected: Drops script at startup location 2->66 68 Uses ping.exe to sleep 2->68 70 2 other signatures 2->70 9 UeC811yBoS.exe 7 2->9         started        12 wscript.exe 2->12         started        14 frokslam.com 2->14         started        process3 signatures4 74 Contains functionality to register a low level keyboard hook 9->74 16 cmd.exe 1 9->16         started        18 cmd.exe 1 9->18         started        76 Creates processes via WMI 12->76 21 frokslam.com 14->21         started        process5 dnsIp6 24 cmd.exe 2 16->24         started        28 conhost.exe 16->28         started        72 Drops PE files with a suspicious file extension 18->72 30 conhost.exe 18->30         started        58 XCXhXCFYaDLHq.XCXhXCFYaDLHq 21->58 signatures7 process8 file9 46 C:\Users\user\AppData\Local\...\services.com, PE32 24->46 dropped 78 Uses ping.exe to sleep 24->78 32 services.com 24->32         started        35 PING.EXE 1 24->35         started        38 PING.EXE 1 24->38         started        40 certutil.exe 2 24->40         started        signatures10 process11 dnsIp12 62 Drops PE files with a suspicious file extension 32->62 42 services.com 6 32->42         started        52 127.0.0.1 unknown unknown 35->52 54 192.168.2.1 unknown unknown 35->54 56 fEK.MYs 38->56 signatures13 process14 dnsIp15 60 XCXhXCFYaDLHq.XCXhXCFYaDLHq 42->60 48 C:\Users\user\AppData\...\frokslam.com, PE32 42->48 dropped 50 C:\Users\user\AppData\...\frokslam.url, MS 42->50 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6/
Threat name:
Win32.Trojan.7Zip
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 00:56:21 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
ModiLoader
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
ModiLoader
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
ModiLoader
92ffcaa512f2f1fe06c8d381f9fdf80a8f9d28fce269544d6a66afc02601d1a0
ModiLoader
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
ModiLoader
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
ModiLoader
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
ModiLoader
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
ModiLoader
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
ModiLoader
eb7f8c540e1fec50dbf69d1118d556130a32c7f08806c9cf0b12a63eaa2ac735
ModiLoader
+ 33 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
bootkit persistence spyware trojan family:modiloader
Link:
https://tria.ge/reports/201019-3j7xadbdt2/
Behaviour
Gathers network information
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
MD5 hash:
c60aa6ca33dc49630ed8139d80d94d9d
SHA1 hash:
33f678a5a83d4b3a22fb86a7cb81ae1dfdc8c8d5
Link:
https://www.unpac.me/results/d17aa5e0-2f6a-4f98-9a4b-3680b294e412/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/72837/

Comments