MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3
SHA3-384 hash: c054fbfeb3bd4ea6c53e24d1699c01a3b2e5eaf5bd7bad10e523f63c7e604e2314096ac7539a8c5a34b9a8de9c73ed41
SHA1 hash: 7e92abbe31847d455d69b4da443ef01d958b4706
MD5 hash: 99a04fddbcdadcc10efa80d863d96d30
humanhash: uniform-fourteen-alpha-quebec
File name:Novi poredak.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:2'250'352 bytes
First seen:2020-11-28 09:20:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23de31c260a4b45c8d1ef99329fb5969 (2 x RemcosRAT, 1 x ModiLoader, 1 x AveMariaRAT)
ssdeep 49152:vLrd08kN5H7Y9gKAdZVhlZfyiSCyiSV/CznFw9:vLrDkNlY9gDdZVLpi
Threatray 3'071 similar samples on MalwareBazaar
TLSH 25A5D123B1E3E03DC3B69AF99F6A66C81F6CFD5131646C4E71E4781CC936940A8D325A
Reporter abuse_ch
Tags:exe geo HRV ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.urdisc.com.ua
Sending IP: 193.227.96.6
From: Vatroslav Vujičić <vatroslav.vujicic@dpd.hr>
Subject: Re: Novi poredak
Attachment: Novi poredak.zip (contains "Novi poredak.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105874/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/549950
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Steal Google chrome login data
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324086 Sample: Novi poredak.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 41 www.naehascloud.com 2->41 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Steal Google chrome login data 2->53 55 3 other signatures 2->55 11 Novi poredak.exe 2->11         started        signatures3 process4 dnsIp5 45 cdn.discordapp.com 162.159.135.233, 443, 49717 CLOUDFLARENETUS United States 11->45 47 discord.com 162.159.137.232, 443, 49716 CLOUDFLARENETUS United States 11->47 65 Writes to foreign memory regions 11->65 67 Allocates memory in foreign processes 11->67 69 Creates a thread in another existing process (thread injection) 11->69 71 Injects a PE file into a foreign processes 11->71 15 ieinstal.exe 11->15         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Queues an APC in another process (thread injection) 15->79 18 explorer.exe 3 1 15->18 injected process9 dnsIp10 43 www.hotsmail.today 18->43 21 control.exe 1 18 18->21         started        25 ieinstal.exe 18->25         started        27 ieinstal.exe 18->27         started        process11 file12 35 C:\Users\user\AppData\...\8LOlogrv.ini, data 21->35 dropped 37 C:\Users\user\AppData\...\8LOlogri.ini, data 21->37 dropped 57 Detected FormBook malware 21->57 59 Tries to steal Mail credentials (via file access) 21->59 61 Tries to harvest and steal browser information (history, passwords, etc) 21->61 63 3 other signatures 21->63 29 cmd.exe 2 21->29         started        signatures13 process14 file15 39 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->39 dropped 73 Tries to harvest and steal browser information (history, passwords, etc) 29->73 33 conhost.exe 29->33         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 22:11:24 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=erdeo3uqbdl6hspzbbuayitzjkwwyjtaku3oydfufcztzgpxfprq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
ModiLoader
159676d64d4a593ffa25f69875f6dc59f05f75f3b135825b5ebda6c67adc475e
ModiLoader
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
ModiLoader
48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000
ModiLoader
73be7382d0c307a958973954111725315843e7d089c29fe826a5bc892332381d
ModiLoader
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
ModiLoader
a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044
ModiLoader
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
ModiLoader
d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415
ModiLoader
e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
ModiLoader
+ 3'061 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201128-2m73prlj4s/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.joomlas123.info/3nop/
Unpacked files
SH256 hash:
2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3
MD5 hash:
99a04fddbcdadcc10efa80d863d96d30
SHA1 hash:
7e92abbe31847d455d69b4da443ef01d958b4706
Link:
https://www.unpac.me/results/f77e1e83-9a8e-4586-9f40-ae34b47bbafd/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip b3638e9009fd0e4ec944fc9a2ece973a13d840f009df1d26a03d5698d7a4b4a7

ModiLoader

Executable exe 2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3

(this sample)

  
Dropped by
MD5 8510a1217a3a28898e311e6c01d36b95
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105874/
  
Dropped by
SHA256 b3638e9009fd0e4ec944fc9a2ece973a13d840f009df1d26a03d5698d7a4b4a7

Comments