MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ModiLoader
Vendor detections: 6
| SHA256 hash: | 58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a |
|---|---|
| SHA3-384 hash: | 62ab7aa8fc83097d471e75b7a2ab00333ea31c83b23af7f45ef814336a868e2632223588e0275a2ba0403384e2c0ca43 |
| SHA1 hash: | c55b6c9585f9c54795fb90c4f0694c4ce00ff2ab |
| MD5 hash: | 96e8bee2b261a04112e86b8c7c2d4ae4 |
| humanhash: | oxygen-nuts-massachusetts-speaker |
| File name: | Jnobsbh_Signed_.exe |
| Download: | download sample |
| Signature | ModiLoader |
| File size: | 1'834'098 bytes |
| First seen: | 2020-08-18 07:38:16 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 925501b726051625fb692aeb5906e244 (7 x ModiLoader, 2 x RemcosRAT, 1 x NetWire) |
| ssdeep | 24576:VMCc4FpC8Fkjb0jstrXF0rExZgMlXIqOUArsqmyiSCyiSVUJEq7zvVJf9w9:V3i0rQZVhlZfyiSCyiSV/CznFw9 |
| Threatray | 2'278 similar samples on MalwareBazaar |
| TLSH | 7985C0E2F2D1F13EC3BA5AF7CC796F441514BE4126149C8A61F53C6D8A366C0B8E325A |
| Reporter |  abuse_ch |
| Tags: | exe geo GRC ModiLoader |
abuse_ch
Malspam distributing ModiLoader:HELO: server.dortgyazilim.com
Sending IP: 37.123.97.174
From: servisteel@metka.gr
Subject: Re: Re: Νέα παραγγελία
Attachment: Νέα παραγγελία.zip (contains "Jnobsbh_Signed_.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Threat name:
Win32.Trojan.DelfInject
Status:
Malicious
First seen:
2020-08-17 10:42:36 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
netwirerc
Similar samples:
+ 2'268 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok3.info/m3px/
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.