MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b1ea5f80159e52d53772c270bf95c18a733c04529031de332d77c81d67386b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b1ea5f80159e52d53772c270bf95c18a733c04529031de332d77c81d67386b8
SHA3-384 hash: cd2921ad7fff2fc636dfb9d834bf3a30e75f351bd7c7ce939135ed44d08fcb41501c6fd6edcb6cd81e3d8196f63ce420
SHA1 hash: fa0687b985b4cda6e2e76d616739ed4cc08668e7
MD5 hash: e89a9db187c7942da45a3fd6a242a690
humanhash: mexico-network-sierra-march
File name:Zbwqdfm_Signed_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:636'568 bytes
First seen:2020-10-12 08:46:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f8ce99d6ad75c2b34e5fbb6b24c4395 (15 x ModiLoader, 4 x Loki, 2 x AZORult)
ssdeep 12288:sOZlAvXBW34aSHxF5en1PwGP0eAMNzVn2Vd131de/T:dlUM4aSHTUn1PQeLNzV2H1G/T
Threatray 2'425 similar samples on MalwareBazaar
TLSH 9CD4AFF3B2F14433C16726795C1B97BC682ABE132D28A8467BF51D4C6F39681392B193
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70008/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/488198
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Sigma detected: Fodhelper UAC Bypass
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296543 Sample: Zbwqdfm_Signed_.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 68 55 Sigma detected: Fodhelper UAC Bypass 2->55 57 Tries to detect virtualization through RDTSC time measurements 2->57 8 Zbwqdfm_Signed_.exe 1 15 2->8         started        process3 dnsIp4 39 discord.com 162.159.135.232, 443, 49735, 49737 CLOUDFLARENETUS United States 8->39 41 cdn.discordapp.com 162.159.135.233, 443, 49738, 49752 CLOUDFLARENETUS United States 8->41 35 C:\Users\user\AppData\Local\...\Zbwqdrv.exe, PE32 8->35 dropped 59 Writes to foreign memory regions 8->59 61 Allocates memory in foreign processes 8->61 63 Creates a thread in another existing process (thread injection) 8->63 65 Injects a PE file into a foreign processes 8->65 13 notepad.exe 4 8->13         started        16 ieinstal.exe 8->16         started        file5 signatures6 process7 file8 37 C:\Users\Public37atso.bat, ASCII 13->37 dropped 18 cmd.exe 1 13->18         started        20 cmd.exe 1 13->20         started        22 explorer.exe 16->22 injected process9 process10 24 conhost.exe 18->24         started        26 reg.exe 1 1 18->26         started        28 conhost.exe 20->28         started        30 Zbwqdrv.exe 13 22->30         started        33 Zbwqdrv.exe 13 22->33         started        dnsIp11 43 162.159.128.233, 443, 49753, 49754 CLOUDFLARENETUS United States 30->43 45 discord.com 30->45 47 cdn.discordapp.com 30->47 49 162.159.137.232, 443, 49750, 49751 CLOUDFLARENETUS United States 33->49 51 192.168.2.1 unknown unknown 33->51 53 2 other IPs or domains 33->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b1ea5f80159e52d53772c270bf95c18a733c04529031de332d77c81d67386b8/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 07:50:04 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmpkl6ablhss2u3xfqtqx6k4dctthqcffebr3yzs256idvttq24a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd
ModiLoader
0538ad6e3f92ea13a5a3dadb18e807ce26097bbfd2f473e873a514b6dbbe8f5d
ModiLoader
145880ed94e0db3cab65cb54db4728520f1ac5f95ff2b0dda2650233542dd706
ModiLoader
3e8e7c9ebb8ae4bbb723e1974f176f8cb82ec0fb4e1890ee1f4feed08ae76058
ModiLoader
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
ModiLoader
914712c702b94abb26e0d1edbd54712d62a2fdb6cfbc9bd41ac8bcb84296358f
ModiLoader
bd959929f72ad78adfc193a1b6f3951a41cb2fd273e97680ca41030c7c4ad271
ModiLoader
bfae046475f1458c460cf4eed534a48c8e769fbfc622138170c3945a4ad61a90
ModiLoader
d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879
ModiLoader
e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34
ModiLoader
+ 2'415 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
rat persistence spyware trojan stealer family:formbook family:modiloader
Link:
https://tria.ge/reports/201012-3w6mzccbaj/
Behaviour
Modifies Internet Explorer settings
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
ModiLoader First Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
d2e419df41b2645010af1c6a850553ed6806a5aadcd8df7de095f26dfd4766bb
MD5 hash:
9ef6241a8c2375ffe0f8d31aea7db374
SHA1 hash:
1b44f9a10c1758e90d1d679b83e51a8aeb63e60a
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/354362c5-7a30-45e8-9b78-fbd49ec42a63/
SH256 hash:
5b1ea5f80159e52d53772c270bf95c18a733c04529031de332d77c81d67386b8
MD5 hash:
e89a9db187c7942da45a3fd6a242a690
SHA1 hash:
fa0687b985b4cda6e2e76d616739ed4cc08668e7
Link:
https://www.unpac.me/results/354362c5-7a30-45e8-9b78-fbd49ec42a63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b1ea5f80159e52d53772c270bf95c18a733c04529031de332d77c81d67386b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 5b1ea5f80159e52d53772c270bf95c18a733c04529031de332d77c81d67386b8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70008/

Comments