MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 468b77efe300982f7d66273755f5df429820d85b1bf7cc6e7be772a03b193dbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 468b77efe300982f7d66273755f5df429820d85b1bf7cc6e7be772a03b193dbb
SHA3-384 hash: a85343402b59b27cd64b8292c94f94240bf2e1eb3df477537ff182824dcdf4ae4d990d34464d57d2e267312266b9aa19
SHA1 hash: 5ecaa6699dc425ec64a124a2e6e181168c8bb075
MD5 hash: e82995688a271241a06ef1a65afd07c7
humanhash: alabama-early-lake-vegan
File name:Quotation.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:931'328 bytes
First seen:2022-07-18 10:04:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d032dd22763347b8e35a8054190593b4 (5 x ModiLoader, 3 x RemcosRAT, 1 x Formbook)
ssdeep 24576:m/lJKxUEzLCgaSbKKeSTtVSn52pAf2rDNtl2aCHX:m/lJOCOWsSn52KN
Threatray 18'089 similar samples on MalwareBazaar
TLSH T102158D23E2B1DD32D162163E4C6776669E3D7F002A24F85A2BE93E4C6EF4341A8153D7
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13101/52/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter madjack_red
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291549/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.17027.27854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/62d530590e298a94f3d93a27/reports/ff2a64e1-9cbf-4ca7-aa28-f43cebc55739/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be8cc0fa-b7d7-4229-8a2f-bcc3e877f5f3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1035649
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668144 Sample: Quotation.exe Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 6 other signatures 2->57 9 Quotation.exe 1 21 2->9         started        process3 dnsIp4 49 mkdvesti.com 213.136.93.169, 443, 49741, 49745 CONTABODE Germany 9->49 39 C:\Users\Public\Libraries\Oxmxgj.exe, PE32 9->39 dropped 41 C:\Users\Public\Libraries\OxmxgjO.bat, ASCII 9->41 dropped 43 C:\Users\...\Oxmxgj.exe:Zone.Identifier, ASCII 9->43 dropped 69 Modifies the context of a thread in another process (thread injection) 9->69 71 Maps a DLL or memory area into another process 9->71 73 Sample uses process hollowing technique 9->73 75 2 other signatures 9->75 14 explorer.exe 2 9->14 injected 17 cmd.exe 1 9->17         started        file5 signatures6 process7 signatures8 77 Uses netstat to query active network connections and open ports 14->77 19 Oxmxgj.exe 13 14->19         started        23 Oxmxgj.exe 14 14->23         started        25 cscript.exe 14->25         started        31 3 other processes 14->31 27 cmd.exe 1 17->27         started        29 conhost.exe 17->29         started        process9 dnsIp10 45 mkdvesti.com 19->45 59 Multi AV Scanner detection for dropped file 19->59 61 Modifies the context of a thread in another process (thread injection) 19->61 63 Maps a DLL or memory area into another process 19->63 47 mkdvesti.com 23->47 65 Sample uses process hollowing technique 23->65 67 Tries to detect virtualization through RDTSC time measurements 25->67 33 cmd.exe 1 25->33         started        35 conhost.exe 27->35         started        signatures11 process12 process13 37 conhost.exe 33->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/468b77efe300982f7d66273755f5df429820d85b1bf7cc6e7be772a03b193dbb/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 04:20:04 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2fxp37dacmc67lge43vl5o7ikmcbwc3dp34y3t345zkaoyzhw5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19364abe28c03c6d69f26c105546b9ff360900b613f06e3fe28c35365c3c6bb1
ModiLoader
28553a815377abf1848c9f84e528e6115969744b4d735e2e0cab9e4ed919a23d
ModiLoader
7e98adbd789e5f62288e3784bb613e332642f2ac533ad873b5744c7a3d2afc16
ModiLoader
a6cea446b135529f57315da655e5329e267f80a67940edbf949196536b212c5b
ModiLoader
b0719b23f521e380ea76a06aaee77d34b506ef96890542072101950ccffeac32
ModiLoader
bc89bbfbb6a41a488a2ad9a1a55be9ba28b1ff3501a4d22072ead32b121836c9
ModiLoader
be0eb1bf95016367e097709002bfb12c31419a9d9214f5a743d61fec0869e94b
ModiLoader
d080a745b7938d247a21fe80650dd1e392eb37326882536a111a16acb6b49082
ModiLoader
e6507a30dc00cd8ec7b0b945c3549bcb313352e6443560394d136cb59486598e
ModiLoader
+ 18'079 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:g2fg persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220718-l4hpascddm/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/e1c18166-04c8-4552-9630-6a82f94c764f/
SH256 hash:
468b77efe300982f7d66273755f5df429820d85b1bf7cc6e7be772a03b193dbb
MD5 hash:
e82995688a271241a06ef1a65afd07c7
SHA1 hash:
5ecaa6699dc425ec64a124a2e6e181168c8bb075
Link:
https://www.unpac.me/results/e1c18166-04c8-4552-9630-6a82f94c764f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/468b77efe300982f7d66273755f5df429820d85b1bf7cc6e7be772a03b193dbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291549/

Comments