MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4
SHA3-384 hash:	4625baeb64de67f2aa83acf394b3b3c458ef5d43d69fdbf3d03aad4c8025dea9b85c452818bf2c9e4d8a89a196d5cea4
SHA1 hash:	0d8e351b416d1c31c5eced45ec75ccac9dbfc1ad
MD5 hash:	be29c05ef14711fe1912e7bf66663078
humanhash:	triple-three-october-apart
File name:	be29c05ef14711fe1912e7bf66663078.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	749'760 bytes
First seen:	2020-12-16 08:12:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0fe9a21f0eaacd42b3f42bdd72bc37cf (5 x ModiLoader)
ssdeep	12288:fsaXPocWk0vDvWHuHxJ+nEDZZE8NVbKCJU1sWaa0zZbzro161111PGRajT:fffo/vDvWHCxIEDsCdNJ6161111eMH
Threatray	3'283 similar samples on MalwareBazaar
TLSH	6AF4AE22A3915837C0771D789C1B96A4DC3BBE113D28A95AEBF51F8C5F342613A371A3
Reporter	abuse_ch
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

be29c05ef14711fe1912e7bf66663078.exe

Verdict:

No threats detected

Analysis date:

2020-12-16 08:15:06 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/745e9ed7-d7b8-41b5-81a6-0d5d6989e1a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108273/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Sending an HTTP GET request

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/564019

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-12-16 08:13:05 UTC

AV detection:

12 of 48 (25.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dlpi5hdjpsi3ggwxmoe2cduvyiu6wbjvtio5oa2yxycfdgp7o6sa._file

Verdict:

malicious

Label(s):

formbook

ModiLoader

2919a5d96ade5e0f2967d98a7b49b1f612435ed6a6b3843424a8c1e99ea0e9ab

ModiLoader

29c9884d02cba2c6ab0a72af878c9f1c2768d96b912f5847608fc040f5f98083

ModiLoader

2bda7325843b48687e064e2abeeef3f5eae5865fceccbbb0ad5229fcf624bf40

ModiLoader

7052f92dce4eaee0a7a7046c6529d6ebc79ddb2ee6e487cf34c6c7cd5dfea6ee

ModiLoader

84cb3c9404d520f05f868b550697de2803c587b02fc156764c953a12a227e4d7

ModiLoader

a80553f1c2dcc35c48adf765bbb4f695d9d3c47d57ab0e47e4e8118588466731

ModiLoader

b28f4495e2cda5a5fef0408701a136d820c7cf2e7a45dd101e70b31458e31530

ModiLoader

e04ac8ec3e13e60c17c1ab13acb486e2e60877e44b6a3ee8a9e372a45d0c8e42

ModiLoader

e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b

ModiLoader

+ 3'273 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:modiloader family:xloader loader persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201216-zdgayqpd7j/

Behaviour

Enumerates system info in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Adds Run key to start application

Adds policy Run key to start application

Xloader Payload

Formbook

ModiLoader, DBatLoader

Xloader

Malware Config

C2 Extraction:

http://www.herbmedia.net/csv8/

Unpacked files

SH256 hash:

5cff498e5e66ccb6703a325472712799e82f88ef7766cb2443c65e5b2939e8d0

MD5 hash:

79b629f5b501288aa2a44119ceeeb5f4

SHA1 hash:

b68424fd8b180239d9357c76df8a83b5933305cc

Link:

https://www.unpac.me/results/ae5975e6-8bf3-4d80-acce-d08b500f15ec/

SH256 hash:

1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4

MD5 hash:

be29c05ef14711fe1912e7bf66663078

SHA1 hash:

0d8e351b416d1c31c5eced45ec75ccac9dbfc1ad

Detections:

win_dbatloader_auto

Link:

https://www.unpac.me/results/ae5975e6-8bf3-4d80-acce-d08b500f15ec/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_dbatloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator