MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720
SHA3-384 hash:	cd9ceb72ef385ce9a94927dc4450a6a31d5171e66b169a1e5570156e11fb1b714802e2c1125564272d4d34414fc2b93c
SHA1 hash:	9de5396ba7bbb9b413df229948c63dad75cbebf0
MD5 hash:	738cd543912792b376d1a444c01f2a13
humanhash:	enemy-magazine-six-lake
File name:	Dgslimt_Signed_.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'856'114 bytes
First seen:	2020-07-31 06:29:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	28121b56cd03905523efa8ccdf3ce04d (3 x ModiLoader)
ssdeep	24576:zAE2gibWI2NZgDrHX5SQaeUVx151ZgMlXIqOUArsqmyiSCyiSVUJEq7zvVJf9w9:zAP192xtZVhlZfyiSCyiSV/CznFw9
Threatray	5'211 similar samples on MalwareBazaar
TLSH	9D85D022F2DDF13EC3FA5AF48CB96B541529BD4326149C8B61F47DB98932600B8D335A
Reporter	abuse_ch
Tags:	exe geo ModiLoader THA

abuse_ch

Malspam distributing ModiLoader:

HELO: lhost7.websahibi.com
Sending IP: 213.142.143.189
From: servicentech@yahoo.com
Subject: Re: โปรดตรวจสอบคำสั่งซื้อใหม่ของเรา
Attachment: file.zip (contains "Dgslimt_Signed_.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35838/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Launching cmd.exe command interpreter

Creating a file in the %temp% directory

Possible injection to a system process

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/404579

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Detected FormBook malware

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses netstat to query active network connections and open ports

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-07-31 02:48:54 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uz4nwkynh6ckp3nkfqiadevegol2ppr5frecwngxxwxrk4xqa4qa._file

Verdict:

malicious

ModiLoader

3c7ef54cf3d06546c5201243fd32d91fb4bf4dbc646956c0b0c5e22ddbfbe113

ModiLoader

58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a

ModiLoader

6afac1117b8398317f5eb5f8c66ce52c0fcf2e438a0d40743a584eedd17ac260

ModiLoader

7d76b11ffd54f1f7f61dae2d07689f986a40a6bcf79e2606610f77a5c7bb20de

ModiLoader

7f9c9b969cacb0ea5d679baff92d33438a27ecb67786022aa03f9f43a4ce56f4

ModiLoader

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

ModiLoader

a34a05f4fba031be97dcc4bb04e0e45a75d1034cd2d32177b26a65de7a1306a0

ModiLoader

ab4583eefcd41b355fe38fcabdfe18450722b162f7b9e8e9ba346040355f4126

ModiLoader

c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60

ModiLoader

+ 5'201 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat spyware evasion trojan stealer family:formbook persistence

Link:

https://tria.ge/reports/200731-zly57y1vpj/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run key to start application

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dbatloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator