MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12f8b87d2d821b198c6c054741c1c3b63aa2671c70778c0f71df973173e9c1b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12f8b87d2d821b198c6c054741c1c3b63aa2671c70778c0f71df973173e9c1b7
SHA3-384 hash: 6bef5eb6c34d1011fa303517e33986acdf8b1867429c62566d35df129e5bf308094ca36f877b53b83dcf46ea793e12c8
SHA1 hash: fb7a95fd2e8cfc29be5a4a48cde160eb15cad283
MD5 hash: c3efbdfcb97480a80800aa650238d048
humanhash: mango-grey-island-two
File name:Purchase_Order.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:636'568 bytes
First seen:2020-10-12 09:45:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f8ce99d6ad75c2b34e5fbb6b24c4395 (15 x ModiLoader, 4 x Loki, 2 x AZORult)
ssdeep 12288:sOZlAvXBW34aSHxF5en1PwGP0eAMNzVn2Vd13zde/T:dlUM4aSHTUn1PQeLNzV2H1A/T
Threatray 299 similar samples on MalwareBazaar
TLSH 21D4AFF3F2F14433C16726795C1B87BD682ABE132D28A8463AF51D4C6F39681782B193
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70043/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488256
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Steal Google chrome login data
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296569 Sample: Purchase_Order.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 76 Malicious sample detected (through community Yara rule) 2->76 78 Sigma detected: Steal Google chrome login data 2->78 80 Yara detected FormBook 2->80 82 4 other signatures 2->82 10 Purchase_Order.exe 1 15 2->10         started        process3 dnsIp4 60 cdn.discordapp.com 162.159.129.233, 443, 49733 CLOUDFLARENETUS United States 10->60 62 discord.com 162.159.138.232, 443, 49731, 49732 CLOUDFLARENETUS United States 10->62 54 C:\Users\user\AppData\Local\...\Uwdfdrv.exe, PE32 10->54 dropped 86 Writes to foreign memory regions 10->86 88 Allocates memory in foreign processes 10->88 90 Creates a thread in another existing process (thread injection) 10->90 92 Injects a PE file into a foreign processes 10->92 15 ieinstal.exe 10->15         started        18 notepad.exe 4 10->18         started        file5 signatures6 process7 file8 110 Modifies the context of a thread in another process (thread injection) 15->110 112 Maps a DLL or memory area into another process 15->112 114 Sample uses process hollowing technique 15->114 116 Queues an APC in another process (thread injection) 15->116 21 explorer.exe 15->21 injected 50 C:\Users\Public50atso.bat, ASCII 18->50 dropped 23 cmd.exe 1 18->23         started        25 cmd.exe 1 18->25         started        signatures9 process10 process11 27 chkdsk.exe 1 18 21->27         started        31 Uwdfdrv.exe 13 21->31         started        34 Uwdfdrv.exe 13 21->34         started        36 conhost.exe 23->36         started        38 reg.exe 1 1 23->38         started        40 conhost.exe 25->40         started        dnsIp12 56 C:\Users\user\AppData\...\J73logrv.ini, data 27->56 dropped 58 C:\Users\user\AppData\...\J73logri.ini, data 27->58 dropped 94 Detected FormBook malware 27->94 96 Creates an undocumented autostart registry key 27->96 98 Tries to steal Mail credentials (via file access) 27->98 108 4 other signatures 27->108 42 cmd.exe 2 27->42         started        64 162.159.130.233, 443, 49750 CLOUDFLARENETUS United States 31->64 66 162.159.135.232, 443, 49748, 49749 CLOUDFLARENETUS United States 31->66 72 2 other IPs or domains 31->72 100 Writes to foreign memory regions 31->100 102 Allocates memory in foreign processes 31->102 104 Creates a thread in another existing process (thread injection) 31->104 106 Injects a PE file into a foreign processes 31->106 46 ieinstal.exe 31->46         started        68 162.159.128.233, 443, 49752, 49753 CLOUDFLARENETUS United States 34->68 70 162.159.135.233, 443, 49754 CLOUDFLARENETUS United States 34->70 74 2 other IPs or domains 34->74 file13 signatures14 process15 file16 52 C:\Users\user\AppData\Local\Temp\DB1, SQLite 42->52 dropped 84 Tries to harvest and steal browser information (history, passwords, etc) 42->84 48 conhost.exe 42->48         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12f8b87d2d821b198c6c054741c1c3b63aa2671c70778c0f71df973173e9c1b7/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 06:38:25 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cl4lq7jnqinrtddmavdudqodwy5kezy4ob3yyd3r36ltc47jyg3q._file
Verdict:
malicious
Similar samples:
023fb24e4591fcbbff6096a61e7cbfb79bc1bade9236dd0db6ede7ab1e00bf9f
ModiLoader
06b81a3d40c9f00bbe9f0f64a962bea487772d6275f66162375c0b53b71b8d44
ModiLoader
27f3b6f252114d1840bd8ff88af2fec03645bd1b84258660b1cb4d1f8b130161
ModiLoader
37866906c56f815018fd573608c4cdd0d96ca64eefebb8b5fd8fd94e9c4db787
ModiLoader
509cc1160a4457f7919bb870d59f8e16c311757780172b72b29d506fdd54eeda
ModiLoader
5b1ea5f80159e52d53772c270bf95c18a733c04529031de332d77c81d67386b8
ModiLoader
5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a
ModiLoader
835109646cd221028859f7d4c7de74be962091d60840952ca85053e396fdc593
ModiLoader
a22fe7978dab6470e098be930251eb6977c698d753def9ec2b50e43a0d069f35
ModiLoader
d78baf0425b2859a1a77b363e8f64db029593e77aad4d7899d3ae5a26939d272
ModiLoader
+ 289 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence family:modiloader
Link:
https://tria.ge/reports/201012-ga9gn7va8j/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
ModiLoader First Stage
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.bringkyliehome.com/emh/
Unpacked files
SH256 hash:
12f8b87d2d821b198c6c054741c1c3b63aa2671c70778c0f71df973173e9c1b7
MD5 hash:
c3efbdfcb97480a80800aa650238d048
SHA1 hash:
fb7a95fd2e8cfc29be5a4a48cde160eb15cad283
Link:
https://www.unpac.me/results/07734872-cf02-48d2-a225-60546a05a005/
SH256 hash:
b9a20259952d702ec94360cab81db2bbd3bdc0bfe0be1353198341ed8d2dc662
MD5 hash:
98e8b1946fc233a0e95c37ab7b10ec62
SHA1 hash:
78f45aa090b4891c0b97bef27662fafd9168cf1a
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/07734872-cf02-48d2-a225-60546a05a005/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12f8b87d2d821b198c6c054741c1c3b63aa2671c70778c0f71df973173e9c1b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 12f8b87d2d821b198c6c054741c1c3b63aa2671c70778c0f71df973173e9c1b7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70043/

Comments