MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 365e3684a18839132240dd98e0310b0e7c5e6ba4287efa34f67bf0ab52a33938. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 365e3684a18839132240dd98e0310b0e7c5e6ba4287efa34f67bf0ab52a33938
SHA3-384 hash: 461ee0ac8382492057c823ddb64eb89a65ee336ef93296a421c30ae43fb7310a5e16a4f4ea784507adbd5c0e57b68903
SHA1 hash: 7b5b251c3a104ba3d4cac9b2190b58a028044cc9
MD5 hash: 637da94e92fd4f4d7605e5412a509a23
humanhash: tango-whiskey-lake-chicken
File name:0001.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'528'432 bytes
First seen:2020-07-24 22:37:17 UTC
Last seen:2020-07-24 23:50:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baad98e25f12abfd0fa3c4986e6b561a (1 x ModiLoader)
ssdeep 24576:x8vLkEboj6gNbF26jZgMlXIqOUArsqmyiSCyiSVUJEq7zvVJf9w9:x8VMDZVhlZfyiSCyiSV/CznFw9
Threatray 5'322 similar samples on MalwareBazaar
TLSH FA65C036F2D1F13EC3EA9AF49CB9BB041518FE5126105C8E61F83C6AC636A31A4D3759
Reporter Racco42
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32302/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.3525.22647.3871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397777
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251069 Sample: 0001.exe Startdate: 25/07/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Steal Google chrome login data 2->53 55 3 other signatures 2->55 10 0001.exe 13 2->10         started        process3 dnsIp4 47 cdn.discordapp.com 162.159.129.233, 443, 49719 CLOUDFLARENETUS United States 10->47 69 Writes to foreign memory regions 10->69 71 Creates a thread in another existing process (thread injection) 10->71 73 Injects a PE file into a foreign processes 10->73 14 wabmig.exe 10->14         started        signatures5 process6 signatures7 75 Modifies the context of a thread in another process (thread injection) 14->75 77 Maps a DLL or memory area into another process 14->77 79 Sample uses process hollowing technique 14->79 81 Queues an APC in another process (thread injection) 14->81 17 explorer.exe 3 14->17 injected process8 dnsIp9 43 www.shenglisuoye.com 45.115.125.213, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong 17->43 45 www.pmbnc.info 17->45 57 System process connects to network (likely due to code injection or exploit) 17->57 59 Searches for Windows Mail specific files 17->59 21 cscript.exe 1 19 17->21         started        25 wabmig.exe 4 17->25         started        27 autochk.exe 17->27         started        signatures10 process11 file12 35 C:\Users\user\AppData\...\10Ologrv.ini, data 21->35 dropped 37 C:\Users\user\AppData\...\10Ologri.ini, data 21->37 dropped 39 C:\Users\user\AppData\...\10Ologrf.ini, data 21->39 dropped 61 Detected FormBook malware 21->61 63 Tries to steal Mail credentials (via file access) 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 67 3 other signatures 21->67 29 cmd.exe 2 21->29         started        signatures13 process14 file15 41 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->41 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 29->83 33 conhost.exe 29->33         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/365e3684a18839132240dd98e0310b0e7c5e6ba4287efa34f67bf0ab52a33938/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-23 11:04:28 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzpdnbfbra4rgisa3wmoamilbz6f425efb7punhwppykwuvdhe4a._file
Verdict:
malicious
Similar samples:
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
ModiLoader
058291c0a07ecfbc5e8c481d1b602f591282a80fd91a7713219f686c02106c60
ModiLoader
2ee68069c79304ab2bc383e02c7d9f07ecdc9f91e9680afe381c72715225a89e
ModiLoader
3c758c3133fb2a7c7c51b2ec84028759bc99e1f3ca3bc22c1046d90f79801f76
ModiLoader
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
ModiLoader
61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
ModiLoader
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
ModiLoader
a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044
ModiLoader
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
ModiLoader
e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
ModiLoader
+ 5'312 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200724-1mra3lddf6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds policy Run key to start application
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/365e3684a18839132240dd98e0310b0e7c5e6ba4287efa34f67bf0ab52a33938

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 365e3684a18839132240dd98e0310b0e7c5e6ba4287efa34f67bf0ab52a33938

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32302/

Comments