MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 268725b4599bf8e1e30e7743cc6dece666f20bd6e7522effb152365765ad8564. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 268725b4599bf8e1e30e7743cc6dece666f20bd6e7522effb152365765ad8564
SHA3-384 hash: 29a58c9ce4a8fd85f33a694194e39670aa160ea3025892970865348730aeae8aa5319c5dcc7059023fbaaebcba45086b
SHA1 hash: d96ee7d872ba14387c78c4c1be39a65f489d7014
MD5 hash: 4819f4e997b99896c4d3a2813d6b3525
humanhash: venus-king-crazy-papa
File name:4819f4e997b99896c4d3a2813d6b3525.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'035'968 bytes
First seen:2020-12-11 20:42:43 UTC
Last seen:2020-12-11 22:34:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7368c626847445faf02cc99e41969dbb (1 x ModiLoader)
ssdeep 12288:cDc747fWx4cKYYmrvK+Sv8EX25eBflBJvE7th/H8T2i+x2+irGpUFvsZTAT:cdT/cKYNr+UgflBhE7D/cX+2hu0+C
Threatray 256 similar samples on MalwareBazaar
TLSH 6125BFE3F1E0403AF13156B49E4B5679B829EE046E9EE8451BFA2E4C4F3C6C2781B547
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107775/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/561433
Signature
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 329804 Sample: aPe6wtn4Y8.exe Startdate: 13/12/2020 Architecture: WINDOWS Score: 56 29 Multi AV Scanner detection for submitted file 2->29 31 Uses schtasks.exe or at.exe to add and modify task schedules 2->31 7 aPe6wtn4Y8.exe 16 2->7         started        process3 dnsIp4 23 cdn.discordapp.com 162.159.135.233, 443, 49721 CLOUDFLARENETUS United States 7->23 25 discord.com 162.159.137.232, 443, 49720 CLOUDFLARENETUS United States 7->25 27 192.168.2.1 unknown unknown 7->27 10 cmd.exe 1 7->10         started        13 ieinstal.exe 7->13         started        process5 signatures6 33 Uses cmd line tools excessively to alter registry or file data 10->33 15 conhost.exe 10->15         started        17 reg.exe 1 1 10->17         started        19 schtasks.exe 1 10->19         started        21 2 other processes 10->21 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/268725b4599bf8e1e30e7743cc6dece666f20bd6e7522effb152365765ad8564/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-11 20:43:05 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2dslncztp4odyyoo5b4y3pm4ztpec6w45jc575rki3foznnqvsa._file
Verdict:
malicious
Similar samples:
2e7e018ee5838bf8450f343923ba4ce6c1282ed1b727fc4ab5cbe69b6204fca2
ModiLoader
2fb4862367a755e48fdc223af9a1324ba792d3ac05f36125c3e39886505afa09
ModiLoader
56a571913ec8c7c4e9c936ac2625f36478147528542a2e291d6ad2cc4a7aab58
ModiLoader
5fb4f85646ca28a28ebcbdf6abc944530a57222c7c57b90538a3fb1e436632d5
ModiLoader
8d604d5419d217ecd6a9d5b4917e441069b433c8429323600a18b36df608f751
ModiLoader
b28f4495e2cda5a5fef0408701a136d820c7cf2e7a45dd101e70b31458e31530
ModiLoader
b342e43b58105e3bd31bf61e0042f9c79cb3d2b34cae4b4496c764a980da1e13
ModiLoader
bea787acfc0effd615ab72ab1be2d18bb7b1eb07bed15b013bdbbf3c61b5fd86
ModiLoader
c0442a7a63a5291b747e22a8e0eabe4abe3e344e6fbc3e4f1a0465895a29b5b2
ModiLoader
d8ab8eb6d9e9fdb54f5d72254eafb2732342f8883ee96749bb8615ca196963bb
ModiLoader
+ 246 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201211-blztena62j/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Adds Run key to start application
Adds policy Run key to start application
Xloader Payload
Formbook
Xloader
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.switchtoambitwithmirtha.com/jskg/
Unpacked files
SH256 hash:
268725b4599bf8e1e30e7743cc6dece666f20bd6e7522effb152365765ad8564
MD5 hash:
4819f4e997b99896c4d3a2813d6b3525
SHA1 hash:
d96ee7d872ba14387c78c4c1be39a65f489d7014
Link:
https://www.unpac.me/results/3530e047-0a27-4f5f-8794-b9212b7e6548/
SH256 hash:
47119a6a0a413fe0499467c722bc0750c3cbac2a2ff6038d7fca38e863bf0940
MD5 hash:
b55da094b26a69c46c34383676f5500a
SHA1 hash:
ae5351e2f29fffeced36c6891deae90a3fe24030
Link:
https://www.unpac.me/results/3530e047-0a27-4f5f-8794-b9212b7e6548/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/268725b4599bf8e1e30e7743cc6dece666f20bd6e7522effb152365765ad8564

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 268725b4599bf8e1e30e7743cc6dece666f20bd6e7522effb152365765ad8564

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/898216/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/107775/

Comments