MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d
SHA3-384 hash: 897ae2956c3e7d448585e5a9c5b128084bd4d366b2d51559c6cb4760e1cc6f2a3a0d4a14ad6c6389e66d7bee8f21c69b
SHA1 hash: be1efe819e2174ddf3bffed8d0dc20ce559e8950
MD5 hash: dfd3a0a7d2411644438328267aec3f87
humanhash: east-mississippi-jig-lake
File name:dfd3a0a7d2411644438328267aec3f87.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'029'632 bytes
First seen:2020-11-01 06:57:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24967b969934deafb74b30f5c6d2aac5 (8 x ModiLoader, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:2onjUKefGncg9JvO3YgMz4kxTeDoemnEtC35OWk31uPtqYKmr3/m9OrvRkP:2onbefGHVqYgcLetUhOWi1uFf3brp
Threatray 2'768 similar samples on MalwareBazaar
TLSH D2257D62A29245F2F253E6388C76567758F5BE3039386C462AE4ED087EFF1813C2DD52
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81588/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Fareit-FZOE94D1AC3C5BE.24044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook ModiLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/517608
Signature
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected ModiLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 09:12:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3soy7qglr3wl5cs4niwvgc7gsa7aifk3xvudzxsrpzkgo6hhsoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0357b2aed154c5d1c335723481cdb1fb13fe5ceb50cf9e35a5007469528e38d9
ModiLoader
08c0c3cf921d5b4af4d261668a9c0ca41acb67610290c7f75ce4537191a9214f
ModiLoader
21dc2cd230d860e64a31419f2c208e9d6d0139fe5bbea4a26de782037d6f208d
ModiLoader
24af60cda9f71c743ac75a18552abe991aba2b5e8bb58b85fbbec669c44799b1
ModiLoader
46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3
ModiLoader
4707d12ac7c445123243c1106f805600be99b1201ddd94e131c569d86b586bf2
ModiLoader
7262bffe13cb0313606a7f47e85404a201f3072c0f984ce0f3f6bdcc246cef0d
ModiLoader
c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a
ModiLoader
d5dc65df9d699ffab0563963fa22ed0a1d833d451dfbd1d724f2a5b988494538
ModiLoader
e0c3dfb8c7187ffcd1b2a520aad7d7bb69ddcac73578c2fe66f36822cf2faf16
ModiLoader
+ 2'758 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/201101-q9gw5f58de/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
ModiLoader First Stage
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d
MD5 hash:
dfd3a0a7d2411644438328267aec3f87
SHA1 hash:
be1efe819e2174ddf3bffed8d0dc20ce559e8950
Link:
https://www.unpac.me/results/2137ee4b-5d13-4d76-a0d0-0d624cf40c2a/
SH256 hash:
c1a3b04c4858199e37deae61a5804bc66051ffb986ac10397e74770d4b127f82
MD5 hash:
7008404a120c77be0dafcd566fead499
SHA1 hash:
d9eac333a413d71cbec2fd8467274d88953eafa6
Link:
https://www.unpac.me/results/2137ee4b-5d13-4d76-a0d0-0d624cf40c2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/761012/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/81588/

Comments