MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c02e09cd54775bce77b8168dcea023a40f510127ff3ca5cae5557a82597b48f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c02e09cd54775bce77b8168dcea023a40f510127ff3ca5cae5557a82597b48f
SHA3-384 hash: 951beedbcd7f100688bf132d3337ff68e174f44adf9eee829178f12ab4198bc2b47ec660cf919fdb20122548941ee4c2
SHA1 hash: 3392435e6c3001174b48042da6a511d2f8b45bbc
MD5 hash: f4a22575b07f7b4f54d2e2feda6a2717
humanhash: bluebird-lithium-pasta-mississippi
File name:Gqzfnpjnobzwyu.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:761'856 bytes
First seen:2023-08-15 10:38:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea5ae0eb30ecb2270f4a40ff7bdfb891 (3 x ModiLoader)
ssdeep 12288:HHLE4rSOHgTxpMrC2zR4othaTEU+rxFVOt3FYe64QPIOhO1CYuhP:HrKOANKrCzaaT4VuVNQIOhO1UhP
Threatray 3'470 similar samples on MalwareBazaar
TLSH T1A5F49D2AB3E07473D4E6237C8C5787B89816BE662F58B1897BD3390CDB7558034293A7
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74e0c4d0d4d2d0d4 (3 x ModiLoader)
Reporter TeamDreier
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Gqzfnpjnobzwyu.exe
Verdict:
Malicious activity
Analysis date:
2023-08-15 10:42:48 UTC
Tags:
dbatloader formbook xloader stealer spyware
Link:
https://app.any.run/tasks/7f77ee8c-b956-46b0-8776-3f1dc3c8f31f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442754/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.65183.28425.18884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102871/overview
Behaviour
MalwareBazaar
CheckCmdLine
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3c02e09cd54775bce77b8168dcea023a40f510127ff3ca5cae5557a82597b48f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efec18b2-c220-4ff4-9d96-929d3bea4c53
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1291343
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1291343 Sample: Gqzfnpjnobzwyu.exe Startdate: 15/08/2023 Architecture: WINDOWS Score: 100 31 www.uschargeport.com 2->31 33 www.tajniezdrzi.quest 2->33 35 33 other IPs or domains 2->35 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 63 7 other signatures 2->63 10 Gqzfnpjnobzwyu.exe 1 2 2->10         started        signatures3 61 Tries to resolve many domain names, but no domain seems valid 33->61 process4 file5 29 C:\Users\Public\Librariesbehaviorgraphqzfnpjn.PIF, PE32 10->29 dropped 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->65 67 Drops PE files with a suspicious file extension 10->67 69 Modifies the context of a thread in another process (thread injection) 10->69 71 4 other signatures 10->71 14 explorer.exe 18 6 10->14 injected signatures6 process7 dnsIp8 37 192.229.221.95, 80 EDGECASTUS United States 14->37 39 xin3.zhanghonghong.com 122.10.111.133, 49773, 80 ULAN-NETWORK-LIMITEDULanNetworkLimitedHK Hong Kong 14->39 41 10 other IPs or domains 14->41 73 System process connects to network (likely due to code injection or exploit) 14->73 18 Gqzfnpjn.PIF 14->18         started        21 rundll32.exe 14->21         started        23 Gqzfnpjn.PIF 14->23         started        signatures9 75 Tries to resolve many domain names, but no domain seems valid 37->75 process10 signatures11 43 Multi AV Scanner detection for dropped file 18->43 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->45 47 Machine Learning detection for dropped file 18->47 49 Modifies the context of a thread in another process (thread injection) 21->49 51 Maps a DLL or memory area into another process 21->51 53 Tries to detect virtualization through RDTSC time measurements 21->53 25 cmd.exe 1 21->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c02e09cd54775bce77b8168dcea023a40f510127ff3ca5cae5557a82597b48f/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 05:58:31 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqbobhgvi523zz33qfunz2qchjapkeasp7z4uxfokvl2qjmxwshq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
35c2ee1406834ee537a4c945e4755f53272d46241402e96c77d0deb505c9e52b
ModiLoader
3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
ModiLoader
96bde9151480b20318275c2c0e045dc13486a76cf81465e4e02ad97cf37140b0
ModiLoader
99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef
ModiLoader
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
ModiLoader
c4ec6438a210e79f2a9404833a59fa0ecf9bfe9c27e0e31ef84ee0b65a81a83c
ModiLoader
e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98
ModiLoader
+ 3'460 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat trojan
Link:
https://tria.ge/reports/230815-mpyyeacb9w/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
3c02e09cd54775bce77b8168dcea023a40f510127ff3ca5cae5557a82597b48f
MD5 hash:
f4a22575b07f7b4f54d2e2feda6a2717
SHA1 hash:
3392435e6c3001174b48042da6a511d2f8b45bbc
Detections:
DbatLoaderStage1
Create hunting rule
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/18ea475a-b6fb-402b-a413-fc7fed909ac4/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c02e09cd547/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_ModiLoader
Create hunting rule
Author:ditekSHen
Description:Detects ModiLoader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:without_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any url
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 3c02e09cd54775bce77b8168dcea023a40f510127ff3ca5cae5557a82597b48f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442754/

Comments