MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424
SHA3-384 hash: aa6aa537869303435b11a8fb7b7796c4372f15e9dc44501b34537c02d2a48111f8424db765c96aac1f229c795425ce9a
SHA1 hash: 15250c59962314684b090c01b5a97f0ebeaeec6b
MD5 hash: 6b87589f12f3ca7a3dda937761317741
humanhash: helium-october-earth-papa
File name:0234122562756152526.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:765'952 bytes
First seen:2022-10-27 11:33:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b6ef2d2e7423032e0ad980d94767f061 (2 x ModiLoader, 1 x RedLineStealer, 1 x BitRAT)
ssdeep 12288:QFwXm1eLcZbP9mpAmFXZ5e0mvXTeYZITtsUXqvxwUxLfHazzJr0:QFGQeabFmKmFzhmvJWu5PB
Threatray 19'560 similar samples on MalwareBazaar
TLSH T172F47BE36BE84176E52334369A0BD3AD7C53BD10396C9C422ACCF949DE37572E429293
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon ecf48696cec4d4d4 (2 x ModiLoader, 1 x RedLineStealer, 1 x BitRAT)
Reporter raverbash
Tags:exe ModiLoader xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
0234122562756152526.exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 11:35:28 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/11765dec-644a-4c3a-8fb0-7ce6460ac27a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324850/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Porcupine.Win32.GenKryptik.GBMJ.34010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45951/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27078e06-5e3e-45ef-90ef-d643b80b49a3
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099234
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 731885 Sample: 0234122562756152526.exe Startdate: 27/10/2022 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected DBatLoader 2->65 67 3 other signatures 2->67 9 0234122562756152526.exe 1 18 2->9         started        process3 dnsIp4 55 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49695, 49697 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->55 57 ph-files.fe.1drv.com 9->57 59 2 other IPs or domains 9->59 37 C:\Users\Public\Librariesbehaviorgraphsshzaux.exe, PE32 9->37 dropped 39 C:\Users\...behaviorgraphsshzaux.exe:Zone.Identifier, ASCII 9->39 dropped 81 Writes to foreign memory regions 9->81 83 Allocates memory in foreign processes 9->83 85 Creates a thread in another existing process (thread injection) 9->85 87 Injects a PE file into a foreign processes 9->87 14 wscript.exe 9->14         started        file5 signatures6 process7 signatures8 89 Modifies the context of a thread in another process (thread injection) 14->89 91 Maps a DLL or memory area into another process 14->91 93 Sample uses process hollowing technique 14->93 95 2 other signatures 14->95 17 explorer.exe 14->17 injected 21 help.exe 14->21         started        process9 dnsIp10 41 www.kreativevisibility.net 17->41 69 System process connects to network (likely due to code injection or exploit) 17->69 23 Gsshzaux.exe 15 17->23         started        27 Gsshzaux.exe 15 17->27         started        71 Modifies the context of a thread in another process (thread injection) 21->71 73 Maps a DLL or memory area into another process 21->73 75 Tries to detect virtualization through RDTSC time measurements 21->75 29 cmd.exe 1 21->29         started        signatures11 process12 dnsIp13 43 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49700, 49702 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->43 45 ph-files.fe.1drv.com 23->45 53 2 other IPs or domains 23->53 77 Multi AV Scanner detection for dropped file 23->77 79 Machine Learning detection for dropped file 23->79 31 wscript.exe 23->31         started        47 ph-files.fe.1drv.com 27->47 49 onedrive.live.com 27->49 51 ghgxia.ph.files.1drv.com 27->51 33 wscript.exe 27->33         started        35 conhost.exe 29->35         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 01:50:32 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eckngdpkrmavmba72ny7hsbnb257hhwzr3rume4vrzxcrxolyqsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18d3b2043c0bbcb8af1d740837e13dbfbf803156a205df76ed824625d57158e4
ModiLoader
6fd7a41af249df56ac2cc4f2b9175421c9ffa25b71c759657a24a97296bd3bd8
ModiLoader
9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8
ModiLoader
a7d2dcd22de6c9f87960fbad826eafd2a0f300a9a5844d72c39497375020ae47
ModiLoader
bd80461f8ced83b6ef02cc5e7c678418da890aed3941b48d42da4c1cab3ce39c
ModiLoader
c830a445d79d79573e7da5f3a94fe72aa74d07fbcbb84d759915461202be06d8
ModiLoader
d4e437669746f9e7b805c76df906b7b1ed0aeca2dafb7249e8535aae116e1b6a
ModiLoader
dcd5d7cfe84d0687294f0990eaba6b407d250877fe61c3a28dc9ff6a30638bce
ModiLoader
+ 19'550 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat trojan
Link:
https://tria.ge/reports/221027-npfmhacadl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
acc3c54c288b266b3b00991c56478ed664f87a2e9f468a45d79598f3d64ff090
MD5 hash:
02ba7295f06aa21f663737992ccd936a
SHA1 hash:
f961dd0202403297ee21706621d9eb12008a0aae
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/5c522cfd-7f9c-4146-86c8-c32e4e50b37e/
Parent samples :
a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db
ded8e87375feb200ce4b5d054d0ae8d3db28588a66071e2ef68dc3eb9fc9b084
6894716ecdc2dc8c9df8522345f04945c0d90df9c2b5426c72fb4eee7d809c79
f9ab7834504060f9878b94cc16de22ed004796b09a78ae8ad1e31e2eb7114162
e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6
2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424
8ea72282f7dfbac5825559640cded147ed27ed8f67063dd3ecddc539d6072a69
dcac7c0a08250b164343c102ef9d863a49c44343c6ce3e0cd1197cb7e3198937
974a92131810231c385981b681b315574a91a64ce6fba594e060c8645ae9d74e
6e9fc38aae3c403eb2a1664292b2bacc85721410b2568cfa36a1d00fc9b4d05c
SH256 hash:
2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424
MD5 hash:
6b87589f12f3ca7a3dda937761317741
SHA1 hash:
15250c59962314684b090c01b5a97f0ebeaeec6b
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/5c522cfd-7f9c-4146-86c8-c32e4e50b37e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/324850/

Comments