MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3
SHA3-384 hash:	8f04a25b073dbc9e927ab9236bb47365d826dccd1e9bb6829b0c4a7a844591a1984ffece2973b58472b4cd2efd2ca193
SHA1 hash:	1c487b3d275a1e931cb3d10bd9a345a09dc35340
MD5 hash:	fe5446b7bad5ccddc411dd35a9607d77
humanhash:	mars-alpha-thirteen-vegan
File name:	Orcdpfi_Signed_.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	2'254'960 bytes
First seen:	2020-11-25 17:11:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	191f8035b5c11d5de8fd20cfdada0df2 (6 x ModiLoader)
ssdeep	49152:LR/ovVcOM1pJTYBzQ0DZVhlZfyiSCyiSV/CznFw9:LRmi/YBzZDZVLpi
Threatray	3'035 similar samples on MalwareBazaar
TLSH	3DA5D023B1E3E03DC3B99AF99F7A66C81F6CFD513164684E71F47818C936940A8D325A
Reporter	Racco42
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

1

# of downloads :

76

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/105660/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3/

Threat name:

Win32.Spyware.Wacatac

Status:

Malicious

First seen:

2020-11-25 10:16:36 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d2i5yojrinq72rjsdkfnykcdkrt22elh5ygmmrxxpfdlkivz57rq._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

2dc919f5d220f45c43cf0de4399d30313ff6566b79e4f367e279a0bb71429b84

35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5

45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf

65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4

80b60b15186be0ecab7ea836bbe4e42477d1c9dfa1d984b1f9ae8670cf7380a1

85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd

9392304274014d5807d5a2271486ea5a72143d7a1214ecc1b59b1626dfc3ba64

c0307fdf9dcf72e69b33cb4327608c3d27bc5a26ce4552a1eae074f2557482dc

d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353

ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153

+ 3'025 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:formbook family:modiloader persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/201125-ghlmk64gpj/

Behaviour

Modifies Internet Explorer settings

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

ModiLoader First Stage

Formbook

ModiLoader, DBatLoader

Malware Config

C2 Extraction:

http://www.joomlas123.info/n7ak/

Unpacked files

SH256 hash:

1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3

MD5 hash:

fe5446b7bad5ccddc411dd35a9607d77

SHA1 hash:

1c487b3d275a1e931cb3d10bd9a345a09dc35340

Link:

https://www.unpac.me/results/7e5c6f92-1404-4aa8-b4a5-431d844ac34d/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/105660/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample