MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e
SHA3-384 hash:	04a05228cd49ca23d3fdb3c0e1d12aebec651331ada5d44b08304c468d87cceefdc07f35e4ec5e9d282bb33f0a303d82
SHA1 hash:	f4728d4c214b0282efc7d0779cd673d4b68e7da0
MD5 hash:	d7545487bde794de42b3a655f3664c8d
humanhash:	louisiana-mockingbird-tennessee-jig
File name:	MT103---USD42880.45---20201127--dbs--9900.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'289'728 bytes
First seen:	2020-11-27 22:57:42 UTC
Last seen:	2020-12-10 08:26:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c7f986b767e22dea5696886cb4d7da70 (5 x ModiLoader, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	24576:siLDfJXRq+fowpGG7By3Z72mwt8gKmX9hIbEIK:siLr5By3Z7NTgKA
Threatray	3'083 similar samples on MalwareBazaar
TLSH	1A55D023B1A28435C121A5BE9E1781FE2F75FD72799CB50E3BD0AD0C8E36980E9191D7
Reporter	James_inthe_box
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/105854/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/549701

Signature

Detected unpacking (changes PE section rights)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-11-27 22:56:57 UTC

File Type:

PE (Exe)

Extracted files:

101

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ju457wlv3y7jvssoimbzaymlfzki3m7t2s7s2baj6zb347ncvepa._file

Verdict:

malicious

Label(s):

formbook

netwirerc

ModiLoader

4ba0d07d32c048141100317f95bd6dd8b791ba9c6608730b8408530490a13922

ModiLoader

5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe

ModiLoader

66c90051427f1fa801535028868a50ca3302392836ceaf8804c992e9f20dc372

ModiLoader

718d659864d771ebadf82d8b5461d39c2bd6bd514ea2d2273d2821a23ab28ed0

ModiLoader

76e0bf03767dfd6316810d96d2404daf16397a0ef3b90daf96ad67bc461209a8

ModiLoader

77707d4b60a7193c8c7e93d9c97dcd89513ef4ce1c8e19aa6780920c09e03c27

ModiLoader

787e10aed324cae24ab5136f95deb95efe8715a6bd7ced09028b2ee21d228a5e

ModiLoader

82c53ee74253581efe369c99373d6c978b3b9b799eb04de6c4eb59d2825e8ee2

ModiLoader

f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c

ModiLoader

+ 3'073 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:formbook family:modiloader rat spyware stealer trojan

Link:

https://tria.ge/reports/201127-vxq9gm4zyn/

Behaviour

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

ModiLoader First Stage

Formbook

ModiLoader, DBatLoader

Malware Config

C2 Extraction:

http://www.revit-templates.com/k47/

Unpacked files

SH256 hash:

4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e

MD5 hash:

d7545487bde794de42b3a655f3664c8d

SHA1 hash:

f4728d4c214b0282efc7d0779cd673d4b68e7da0

Link:

https://www.unpac.me/results/ebbbed83-b0a3-411a-af17-a5481ceaccbf/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/105854/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample