MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563
SHA3-384 hash: 075d257c4f3a4eb3503a1fe51ffbbd93c9700303f5c078cb16ef9f4ae40ff9a08f25a07693ce8c19b94291ebca10f50d
SHA1 hash: a1abd081ee5a7d924fe73cc7c816a8cef573193a
MD5 hash: 637c1221c318964963ddef6961e73c42
humanhash: oxygen-sad-connecticut-mountain
File name:220712649_220712192507.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'052'160 bytes
First seen:2022-07-18 08:14:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6a102166317d313ef57572741259ca4a (6 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep 24576:YkH9czoiliazNQtMTMO3Yu0POdX0ofjkRo:Ykdq6yXhL7
Threatray 16'031 similar samples on MalwareBazaar
TLSH T188255B52F2B1CC33C527EA774C16B3A94E2D7E117E29B94E7AE43E0D1E366803925187
TrID 92.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.8% (.SCR) Windows screen saver (13101/52/3)
1.4% (.EXE) Win64 Executable (generic) (10523/12/4)
0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d027 (11 x RemcosRAT, 5 x Formbook, 5 x DBatLoader)
Reporter adrian__luca
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291510/
Detection(s):
SecuriteInfo.com.W32.Delf.RI.genEldorado.25950.9010.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Reading critical registry keys
Creating a file in the %temp% directory
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26597/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook keylogger remcos wacatac
Link:
https://www.filescan.io/uploads/62d516c8ef2b0e63a821a386/reports/99754f3e-f407-4fa1-9415-9a6c089581ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c89708e-94c3-4ff3-ae97-5f105255a06e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1035622
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 668117 Sample: 220712649_220712192507.exe Startdate: 18/07/2022 Architecture: WINDOWS Score: 100 40 www.parkingfinancing.com 2->40 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 4 other signatures 2->64 9 220712649_220712192507.exe 1 16 2->9         started        14 Xdlgzw.exe 13 2->14         started        16 Xdlgzw.exe 13 2->16         started        signatures3 process4 dnsIp5 42 20.48.255.12, 49748, 49750, 49772 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->42 38 C:\Users\user\Contacts\Xdlgzw.exe, PE32 9->38 dropped 70 Writes to foreign memory regions 9->70 72 Allocates memory in foreign processes 9->72 74 Creates a thread in another existing process (thread injection) 9->74 18 logagent.exe 9->18         started        76 Multi AV Scanner detection for dropped file 14->76 78 Injects a PE file into a foreign processes 14->78 21 DpiScaling.exe 14->21         started        23 DpiScaling.exe 16->23         started        file6 signatures7 process8 signatures9 50 Modifies the context of a thread in another process (thread injection) 18->50 52 Maps a DLL or memory area into another process 18->52 54 Sample uses process hollowing technique 18->54 56 Queues an APC in another process (thread injection) 18->56 25 explorer.exe 18->25 injected process10 dnsIp11 44 www.lingerie-51803.com 185.53.179.92, 49810, 80 TEAMINTERNET-ASDE Germany 25->44 46 craftybabe.store 160.153.136.3, 49807, 80 GODADDY-AMSDE United States 25->46 48 4 other IPs or domains 25->48 66 System process connects to network (likely due to code injection or exploit) 25->66 68 Uses netstat to query active network connections and open ports 25->68 29 wscript.exe 25->29         started        32 cmmon32.exe 25->32         started        34 NETSTAT.EXE 25->34         started        36 2 other processes 25->36 signatures12 process13 signatures14 80 Modifies the context of a thread in another process (thread injection) 29->80 82 Maps a DLL or memory area into another process 29->82
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 07:33:05 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jui4ymu4fy3y2wqptqidfua2t7a7qkungh5ophufduc3q7okmvrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19abd30bf9cb709307f9d1d1a2eda16d087dc4b699732841ea5a210aede0ebc4
ModiLoader
23d18a124c44e1f80a9eed03f108139f21a9cbfe060b36211bf21c6cf7213a16
ModiLoader
25349b2c8f2818db5174e1a60ca9c589ea76d90fd9422c9fb8d4f860caf9696a
ModiLoader
71d4416a94c93021b07c9f0dc6a2d388b39bf429b58546dd85944b5681b19de5
ModiLoader
a5e9d790b1d375e91942201622ac9cf4a02d168b9b91284468ce8347af562a3c
ModiLoader
a8542b82f30bd1f1ac0fad9da2d06c9c0ee63d4a5b2e02534b7cbf97be882c0a
ModiLoader
bcdb1cf55758eba1f5a2af93e137ce0bf004969e59419c576b2781f80659da55
ModiLoader
c8fc44d1f9bae45933ba95a20f0aebf0e69f8304ea11a4346e610dfacc8ce049
ModiLoader
f3fed1b0555a01cd3e481c2cd164f8cca01df0e461a0378fba8b7a1f53469a3d
ModiLoader
f6db3a2b3160b40742b164c6bbe0496368f4fc52d1a16757a49d023f5189b428
ModiLoader
+ 16'021 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220718-j5kh6safc5/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
ModiLoader Second Stage
ModiLoader, DBatLoader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
dc0377ea26efeb8d3411b8a861a20c9fa07af02308075ed1a8a7b849980893f1
MD5 hash:
5bff59b56c06a281b66ef4e919ce560c
SHA1 hash:
d8b49405898da4060988afe98219d5b62e4e2a7a
Link:
https://www.unpac.me/results/f9daf5fa-c091-44bf-a84e-7eeb3c0471ca/
SH256 hash:
4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563
MD5 hash:
637c1221c318964963ddef6961e73c42
SHA1 hash:
a1abd081ee5a7d924fe73cc7c816a8cef573193a
Link:
https://www.unpac.me/results/f9daf5fa-c091-44bf-a84e-7eeb3c0471ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/291510/

Comments