MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01
SHA3-384 hash: d922798865b9971d775d231f9f080c21ab502cf372e197220294774918ae0d39ef4d37af972f7f1e9e5a625970ba9f30
SHA1 hash: 3abd3e16b8f28337201d5ab51c5a5b94eba51f40
MD5 hash: 9815a4eeaf97076ed028f1000e70a67a
humanhash: aspen-cardinal-foxtrot-shade
File name:Vzukyqw_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:638'105 bytes
First seen:2020-09-07 14:05:28 UTC
Last seen:2020-09-07 14:46:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa339d4536904c90f3024a2c0e1044af (1 x ModiLoader)
ssdeep 12288:J51NydkpqqcArx0I4zE9ayRNIA/kMGXVI7ZwnDGmDQgX40:J1o4BL4iDZ8b+ZmCcQgI0
TLSH F4D49E22B2D1803BC2A31B349C6BA7559825BF502A1C7C7A67F82D4C5F793913A1D1BF
Reporter James_inthe_box
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57708/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01/
Threat name:
Win32.Trojan.Injects
Create hunting rule
Status:
Malicious
First seen:
2020-09-07 08:35:58 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ertvokligiggp2sgy5s5ttnostjyq7se26xx4knyr4nq4up2jqaq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan family:modiloader spyware stealer family:formbook
Link:
https://tria.ge/reports/200907-84c9aakfdn/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
ModiLoader First Stage
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.drayo.xyz/ksh/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/57708/

Comments