MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a5f33710715ce37a266d1848db4599be8ede6fe3f1070aa49b3bcca352f3f46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a5f33710715ce37a266d1848db4599be8ede6fe3f1070aa49b3bcca352f3f46
SHA3-384 hash: 2c63f016a26f30604916406ca60d8190eef1a6330d8849f807f92da4bbac8a66435c24acdc08d463937c5797c68348f0
SHA1 hash: 3084a0d410b1b1ee0bc5a5308a8f65124b574e56
MD5 hash: 386a65d6fb3e5a13d690c20474e6c342
humanhash: romeo-jig-uranus-violet
File name:Invo458_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'180'328 bytes
First seen:2020-08-05 11:43:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55dd9dedcfe5ef6fe0004f7185f32bb2 (7 x ModiLoader)
ssdeep 24576:2Jfdkxzf7b6jiwhVZcYNM7yXBpCjoGuQzmPR:2FSqc5uQz8
Threatray 5'245 similar samples on MalwareBazaar
TLSH AB45CF23B2A28871C115957DCE1782AE7E75BC617544269F27E0FD0CDE3AEC0792B0A7
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: poydorus.t.mk
Sending IP: 195.26.152.36
From: beti.kalkulacii@tinex.com.mk <beti.kalkulacii@tinex.com.mk>
Subject: Payment authorisation notification
Attachment: Invo458_Signed_.zip (contains "Invo458_Signed_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39478/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Setting a single autorun event
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/411031
Signature
Detected FormBook malware
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257811 Sample: Invo458_Signed_.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Yara detected FormBook 2->68 70 Machine Learning detection for sample 2->70 72 2 other signatures 2->72 7 Invo458_Signed_.exe 1 2 2->7         started        process3 dnsIp4 42 cdn.discordapp.com 162.159.130.233, 443, 49739 CLOUDFLARENETUS United States 7->42 26 C:\Users\user\AppData\Local\Xwxlsec.exe, PE32 7->26 dropped 74 Modifies the context of a thread in another process (thread injection) 7->74 76 Maps a DLL or memory area into another process 7->76 78 Sample uses process hollowing technique 7->78 80 2 other signatures 7->80 12 explorer.exe 4 7->12 injected file5 signatures6 process7 dnsIp8 44 www.ytjulin.com 12->44 46 www.texasgatekeepers.com 12->46 48 www.storage-files-archive.win 12->48 15 WWAHost.exe 17 12->15         started        19 Xwxlsec.exe 12->19         started        22 Xwxlsec.exe 12->22         started        24 2 other processes 12->24 process9 dnsIp10 28 C:\Users\user\AppData\...\JP2logrv.ini, data 15->28 dropped 30 C:\Users\user\AppData\...\JP2logri.ini, data 15->30 dropped 50 Detected FormBook malware 15->50 52 Tries to steal Mail credentials (via file access) 15->52 54 Tries to harvest and steal browser information (history, passwords, etc) 15->54 32 162.159.133.233, 443, 49743 CLOUDFLARENETUS United States 19->32 34 cdn.discordapp.com 19->34 56 Machine Learning detection for dropped file 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 Maps a DLL or memory area into another process 19->60 36 162.159.129.233, 443, 49745 CLOUDFLARENETUS United States 22->36 38 192.168.2.1 unknown unknown 22->38 40 cdn.discordapp.com 22->40 62 Sample uses process hollowing technique 22->62 64 Tries to detect virtualization through RDTSC time measurements 24->64 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a5f33710715ce37a266d1848db4599be8ede6fe3f1070aa49b3bcca352f3f46/
Threat name:
Win32.Backdoor.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 10:11:11 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjptg4ihcxhdpitg2gci3ncztpuo3zx6h4ihbksjwo6munjph5da._file
Verdict:
malicious
Similar samples:
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
ModiLoader
27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f
ModiLoader
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
ModiLoader
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
ModiLoader
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
ModiLoader
5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f
ModiLoader
846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
ModiLoader
9bf2e6afa0656c8129746c95784146ba85f15ecf46081644192e5bbfd5899144
ModiLoader
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
ModiLoader
d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb
ModiLoader
+ 5'235 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200805-jsj4f81ane/
Behaviour
Suspicious use of SendNotifyMessage
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a5f33710715ce37a266d1848db4599be8ede6fe3f1070aa49b3bcca352f3f46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip c02f34dcea29e7a3b6901cd3e745fbae79e2ab45db6ba28569a5d3994aedde8c

ModiLoader

Executable exe 4a5f33710715ce37a266d1848db4599be8ede6fe3f1070aa49b3bcca352f3f46

(this sample)

  
Dropped by
MD5 7272844cb5b923da6bd4388d739d0b9e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39478/
  
Dropped by
SHA256 c02f34dcea29e7a3b6901cd3e745fbae79e2ab45db6ba28569a5d3994aedde8c

Comments