MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870
SHA3-384 hash: d929cb9a6fa181c76b0922dcc7e0d0451e7ef0670ba69872109e59b5316069142f34fd583b0e5becb59436b610f76428
SHA1 hash: af736b2f1c48c21cff63a270ac2625e0f963135e
MD5 hash: 39625f6558d917a4abd6b14f73b8618e
humanhash: queen-neptune-potato-red
File name:SecuriteInfo.com.Variant.Zusy.438336.25792.6749
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'027'074 bytes
First seen:2022-09-23 09:48:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d327c770dcde2c326f621c13e64d15a0 (2 x ModiLoader, 1 x FormBook)
ssdeep 24576:ykb0afaPqkuuvxYe6aUMdXs+loXwbPfQ9W8AoqiVNW:yk4Ku5YhMVs+lms
Threatray 16'582 similar samples on MalwareBazaar
TLSH T12B25AE63B381C533C62A25356E1F62687B29FE4538158D5A32E0FEBC1F7FB602125396
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 74f7e3db9fc5efca (4 x ModiLoader, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870.zip
Verdict:
Malicious activity
Analysis date:
2022-09-23 10:43:50 UTC
Tags:
formbook stealer
Link:
https://app.any.run/tasks/10c8acd2-456a-43b6-98ef-b10f4c178221

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312566/
Detection(s):
SecuriteInfo.com.Variant.Zusy.438336.25792.6749.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Launching a service
Creating a file in the Windows subdirectories
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38552/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook keylogger overlay zusy
Link:
https://www.filescan.io/uploads/632d819ce64c53f047ffde7a/reports/fc1914c2-c3b0-489c-8263-78ec898bbb05/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02a96e42-a9f7-4774-abe4-5a7b0af59f5b
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075821
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 06:48:44 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4nzkzcr67uqy7rqnjgq25rkudi7tmnxyy463dw2dilnzx5fxbya._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4bbb39fcbea555b2ff359c3422f1058dcebd8e4cf0ae68d3b05f2198d57db9a8
ModiLoader
66e023153783841c82581216957c689782313b971b270bf48f1ec3bc1885d3e4
ModiLoader
78d04244289fe215008b2c7d8937813b740228e5b60092287346e66e29c8182d
ModiLoader
96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881
ModiLoader
a2161a7d0675f94235710ab04b4324c454a76b8f3c0a30ea2ba3777e197dfcea
ModiLoader
b1248c9a9d2892a23cd6927ccfad438e360f5977e47c38d424522e7d67d10816
ModiLoader
ba9e6da19bce3c2fbfe97ab569379e144838a6f9245c4f4581865bc5bab3d503
ModiLoader
c5aaaf40148a7d8bd30681af759e7e922c491404610c1691d3ce7d1c1b849bcd
ModiLoader
f85bf1ff072c013d0f427e613aed83108fb8efa061897eda3a84c5c15b1722e9
ModiLoader
fc15ab19130fccdae7dee477e0ae6d711fe3492cbac1b7e5d472eae4902f9516
ModiLoader
+ 16'572 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:chof persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220923-ltcejagdc5/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3f88c2cf-0b17-407b-a415-71a2f38a589e
Unpacked files
SH256 hash:
b44efc99aa637abb6b32fe45f0edfdc6e82f5626984d06c6c660690568ca7335
MD5 hash:
659102b565fb5ad1bd6f6cb31212bd86
SHA1 hash:
ec86a329feab1ba5c8e4aef14bad74db022ab5e0
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/a9dc2845-80c1-44f5-bc94-8b49164f1359/
Parent samples :
faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7
6d68db4d0aa5bfc75ed6eb34a3680abb7ee99af0138419324e65749af1ba4b40
1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870
ac5e5935c877d48be14314d53a7154e370426a35168c82cb9ee83b7e98d02f28
f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b
SH256 hash:
1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870
MD5 hash:
39625f6558d917a4abd6b14f73b8618e
SHA1 hash:
af736b2f1c48c21cff63a270ac2625e0f963135e
Link:
https://www.unpac.me/results/a9dc2845-80c1-44f5-bc94-8b49164f1359/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f1b956451f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312566/

Comments