MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b
SHA3-384 hash:	c6128a78f7fbf43161a19587a0a506671b41c3ceb77941dae5b4b48b75c8611522ffc4e14201650442e5830c30a559d7
SHA1 hash:	2f802bdc35247f0ee9502b60aa1efd2ce34dfae6
MD5 hash:	8378c64bc517c99a3ea2957f6fe21dec
humanhash:	tennis-uniform-colorado-robin
File name:	Glihjsn_Signed_.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'947'762 bytes
First seen:	2020-08-04 13:21:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b782f896667e95f10c43e1cbf8187161 (7 x ModiLoader, 1 x RemcosRAT, 1 x NetWire)
ssdeep	49152:dmR4Qbg1E6PWyjcRZVhlZfyiSCyiSV/CznFw9:dqr6PWyjYZVLpi
Threatray	5'214 similar samples on MalwareBazaar
TLSH	8695D037F2D1FA3EC3AE5AF058B9AB081928BD5135048C8F61F83D7D8921A84B5D365D
Reporter	abuse_ch
Tags:	exe ModiLoader

abuse_ch

Malspam distributing ModiLoader:

HELO: sm112.dnslake.com
Sending IP: 185.192.112.12
From: MRKETING@OXINFARAYAND.COM <t.karami@inoclon.com>
Reply-To: t.karami@inoclon.com
Subject: Technical-Commercial Offers/OXINFARAYAND
Attachment: Signed_Documents.zip (contains "Glihjsn_Signed_.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38709/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Launching cmd.exe command interpreter

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/409450

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Detected FormBook malware

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-08-04 13:23:08 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rttct5zasonublgb4vy34enidft6qdou32zkfmvbibrd2zhkacfq._file

Verdict:

malicious

ModiLoader

1940c82d728454e9a43d2efc7dd0033fcbf58880b32d227830e54a43b885ca3c

ModiLoader

2680be0d6ab364c09e9ca33e93bc0dfa3de6906e014bdb4aafc77ea9caf76650

ModiLoader

2b8f048a61ef0fcd4a8d4f54cf1a22cf637883aae8b542f981ead6f043f02ffe

ModiLoader

426a7d5241a207054d695ea06f8133260c2684c5598420954f0fde91a03fe059

ModiLoader

5e2ceeaf0867b931ec61f6e4c6bd5403e237353eda4816509038fdec470b6ddb

ModiLoader

74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da

ModiLoader

97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3

ModiLoader

cf6bbd5a9224dcd52aa71c16288945611a3348ca9953f32fa92a4c481c307195

ModiLoader

f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2

ModiLoader

+ 5'204 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat persistence spyware evasion trojan stealer family:formbook

Link:

https://tria.ge/reports/200804-9kt84yq64x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dbatloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator