MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309
SHA3-384 hash: 1a120a5d768f205040a2e54ebb72f48d0ddafb78a2adf3b9ad432fa8ab831843e96d5061ec517d9e1ac0946180369469
SHA1 hash: 178b648f1c57e9121dc0187e3bda16f23727973f
MD5 hash: 0e65492146d36fc9fb59a409b69498fe
humanhash: fanta-bravo-kitten-edward
File name:polizza di trasferimento.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'947'762 bytes
First seen:2020-08-05 08:49:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b782f896667e95f10c43e1cbf8187161 (7 x ModiLoader, 1 x RemcosRAT, 1 x NetWire)
ssdeep 49152:dmR4Ebg1E6PWyjcRZVhlZfyiSCyiSV/CznFw9:dq/6PWyjYZVLpi
Threatray 5'231 similar samples on MalwareBazaar
TLSH B895D037F2D1FA3EC3AE5AF058B9AB081928BD5135048C8F61F83D7D8921A84B5D365D
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: serverz.geminit.it
Sending IP: 5.249.152.15
From: lmslides <lmslides@tin.it>
Subject: Ri: Ri: Ri Re: PJS-97 ISS Q7498-A-R0
Attachment: 07-20-2020_06-59-10-PM pdf.zip (contains "polizza di trasferimento.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39267/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.17892.12192.21659.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410681
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257610 Sample: polizza di trasferimento.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 38 www.s-immotanger.com 2->38 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected FormBook 2->46 48 Machine Learning detection for sample 2->48 50 2 other signatures 2->50 9 polizza di trasferimento.exe 14 2->9         started        signatures3 process4 dnsIp5 40 cdn.discordapp.com 162.159.130.233, 443, 49734 CLOUDFLARENETUS United States 9->40 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Creates a thread in another existing process (thread injection) 9->64 66 Injects a PE file into a foreign processes 9->66 13 ieinstal.exe 9->13         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 13->68 70 Maps a DLL or memory area into another process 13->70 72 Sample uses process hollowing technique 13->72 74 Queues an APC in another process (thread injection) 13->74 16 explorer.exe 3 13->16 injected process9 dnsIp10 32 healthywithhook.com 184.168.131.241, 49745, 49746, 49747 AS-26496-GO-DADDY-COM-LLCUS United States 16->32 34 www.s-immotanger.com 16->34 36 www.healthywithhook.com 16->36 42 System process connects to network (likely due to code injection or exploit) 16->42 20 wlanext.exe 1 17 16->20         started        24 ieinstal.exe 16->24         started        26 ieinstal.exe 16->26         started        signatures11 process12 file13 28 C:\Users\user\AppData\...\0L9logrv.ini, data 20->28 dropped 30 C:\Users\user\AppData\...\0L9logri.ini, data 20->30 dropped 52 Detected FormBook malware 20->52 54 Tries to steal Mail credentials (via file access) 20->54 56 Tries to harvest and steal browser information (history, passwords, etc) 20->56 58 3 other signatures 20->58 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309/
Threat name:
Win32.Spyware.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 02:34:06 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mijj3sazhj2tcptbuh7lefdl26moyleewewztkwgkygnw7xj4meq._file
Verdict:
malicious
Similar samples:
45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf
ModiLoader
5d4ee1d47b298efcc8475545d1d28ccaf61192def8085636e225019cced7f9cd
ModiLoader
65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4
ModiLoader
7f261df83598926b168c3515bde5a345dba7828d5bcbdedff5fc55cd16ec23a8
ModiLoader
8018cda9143d0dfeddb6ef8e5e90a920d837d0bb7eea826b9ce37f3c96850859
ModiLoader
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
ModiLoader
9392304274014d5807d5a2271486ea5a72143d7a1214ecc1b59b1626dfc3ba64
ModiLoader
c97112bbfbe643fbde2c2b857761d81d37ed9c7619c0093443800c4ba46a4554
ModiLoader
d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353
ModiLoader
ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153
ModiLoader
+ 5'221 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200805-46rrtczdvs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Strictor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip f1487b4b31308584b8ca66dcc4904c310c128317f68b10f11629e38f9cf3d59e

ModiLoader

Executable exe 62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309

(this sample)

  
Dropped by
MD5 6da592a7f9d24e57bc9d52fd680caeac
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39267/
  
Dropped by
SHA256 f1487b4b31308584b8ca66dcc4904c310c128317f68b10f11629e38f9cf3d59e

Comments