MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4273b1d1ede5642d214be245fd041250539f7f34779737c37856f602491948f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4273b1d1ede5642d214be245fd041250539f7f34779737c37856f602491948f5
SHA3-384 hash: c76190a40e562e3bcf33f25e147d707db778610d988a6ea43305df8668c61bcd2f1072da813d0ab16c111a008e377bb1
SHA1 hash: 766a285c56ffbcf79af8b11e300152c0497d8805
MD5 hash: dac4014986cd160a5c767e1f9d144c20
humanhash: bacon-lamp-moon-earth
File name:RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:884'080 bytes
First seen:2020-11-17 07:12:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d6c86ca38148590f533171d6689371c (2 x ModiLoader)
ssdeep 12288:jtw2c/JLaTBRUkw+RzdlggbucO5LQuyk7XLzcHGzWf/eaEraQlKaG:jtwXVaTU9+6fcCEg4mz9ragKX
Threatray 2'940 similar samples on MalwareBazaar
TLSH 9B159F13A7514C37D16219389C5B8EB89925BF003938FDC63AE43E7C4E35291B9BA1B7
Reporter fabjer
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/539091
Signature
Detected FormBook malware
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318640 Sample: RFQ for TRANS ANATOLIAN NAT... Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Sigma detected: Steal Google chrome login data 2->75 77 5 other signatures 2->77 10 RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 1 16 2->10         started        process3 dnsIp4 55 cdn.discordapp.com 162.159.133.233, 443, 49713 CLOUDFLARENETUS United States 10->55 57 discord.com 162.159.138.232, 443, 49712 CLOUDFLARENETUS United States 10->57 49 C:\Users\user\AppData\Local\...\Yedmdrv.exe, PE32 10->49 dropped 107 Injects a PE file into a foreign processes 10->107 15 RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 10->15         started        file5 signatures6 process7 signatures8 109 Modifies the context of a thread in another process (thread injection) 15->109 111 Maps a DLL or memory area into another process 15->111 113 Sample uses process hollowing technique 15->113 115 Queues an APC in another process (thread injection) 15->115 18 explorer.exe 4 15->18 injected process9 dnsIp10 51 www.surptalb.xyz 162.0.238.241, 49749, 49750, 49751 NAMECHEAP-NETUS Canada 18->51 53 www.dombeograd.com 93.188.2.53, 49752, 49753, 49754 LOOPIASE Sweden 18->53 87 System process connects to network (likely due to code injection or exploit) 18->87 22 help.exe 18 18->22         started        26 Yedmdrv.exe 14 18->26         started        29 Yedmdrv.exe 13 18->29         started        31 2 other processes 18->31 signatures11 process12 dnsIp13 45 C:\Users\user\AppData\...\-1Alogrv.ini, data 22->45 dropped 47 C:\Users\user\AppData\...\-1Alogri.ini, data 22->47 dropped 89 Detected FormBook malware 22->89 91 Tries to steal Mail credentials (via file access) 22->91 93 Tries to harvest and steal browser information (history, passwords, etc) 22->93 105 2 other signatures 22->105 33 cmd.exe 2 22->33         started        59 162.159.128.233, 443, 49724, 49729 CLOUDFLARENETUS United States 26->59 61 162.159.135.233, 443, 49725, 49730 CLOUDFLARENETUS United States 26->61 69 2 other IPs or domains 26->69 95 Multi AV Scanner detection for dropped file 26->95 97 Detected unpacking (changes PE section rights) 26->97 99 Machine Learning detection for dropped file 26->99 37 Yedmdrv.exe 26->37         started        63 192.168.2.1 unknown unknown 29->63 65 discord.com 29->65 67 cdn.discordapp.com 29->67 101 Injects a PE file into a foreign processes 29->101 39 Yedmdrv.exe 29->39         started        103 Tries to detect virtualization through RDTSC time measurements 31->103 file14 signatures15 process16 file17 43 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->43 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 33->79 41 conhost.exe 33->41         started        81 Modifies the context of a thread in another process (thread injection) 37->81 83 Maps a DLL or memory area into another process 37->83 85 Sample uses process hollowing technique 37->85 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4273b1d1ede5642d214be245fd041250539f7f34779737c37856f602491948f5/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 06:13:54 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijz3dupn4vsc2ikl4jc72baskbjz67zuo6ltpq3yk33aesizjd2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
176b6a4f321a046262569c7e6302f9cd734282399645f8b13538489f5183a617
ModiLoader
2bafe7b4f77916d7ca905d9d46453d27e090b85ba065f4892a886abdc8e51863
ModiLoader
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
ModiLoader
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
ModiLoader
9ed73237c4de3ed96e8d90f4d94dcbb46bf7c947961e40601852b8bad6c03f52
ModiLoader
a244a77f990bdec5f4f81d605990749206b6e5827e4bc140b9b4b2fbfdb0bb12
ModiLoader
c8cd524c89b904ad199b97a7740a9928abd939107904bb29150cdfd98f0f7404
ModiLoader
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
ModiLoader
e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
ModiLoader
ef4c04da2b5fe6ce33597d1dbe44a8b84b156cb1bd03b3a3f8d8c9dabede075b
ModiLoader
+ 2'930 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201117-ferehvfzpn/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
ModiLoader First Stage
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.hansonkx.xyz/mkv/
Unpacked files
SH256 hash:
aec1f6cf2612c09d78332e68bdd8f2d6b06791a2fefea0641e893fb58b76ef84
MD5 hash:
c7ea1527ed0a35d602ba25eb18e819a6
SHA1 hash:
6960a9bfa7faa389d4323d8cca7dbc81cff7ff3e
Link:
https://www.unpac.me/results/08c6f56e-eee3-4ed2-9c2d-268b9c443c77/
SH256 hash:
ad138529d4293dbfe874960f9881541ce2841b9ce98a065b9323990f6564410e
MD5 hash:
fc7437c1499410cd05b01a801beff7ce
SHA1 hash:
cf2a6213cda2d2d5a796ee5b7a986ae74ca36964
Link:
https://www.unpac.me/results/08c6f56e-eee3-4ed2-9c2d-268b9c443c77/
SH256 hash:
4273b1d1ede5642d214be245fd041250539f7f34779737c37856f602491948f5
MD5 hash:
dac4014986cd160a5c767e1f9d144c20
SHA1 hash:
766a285c56ffbcf79af8b11e300152c0497d8805
Link:
https://www.unpac.me/results/08c6f56e-eee3-4ed2-9c2d-268b9c443c77/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe b3aaa25577ded32ea0f2f4460bc5666cd4e83c607c7ddc725500bef96886c491

ModiLoader

Executable exe 4273b1d1ede5642d214be245fd041250539f7f34779737c37856f602491948f5

(this sample)

  
Dropped by
SHA256 b3aaa25577ded32ea0f2f4460bc5666cd4e83c607c7ddc725500bef96886c491
  
Delivery method
Distributed via e-mail attachment

Comments