MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75
SHA3-384 hash: 206f6be3b72ce173738bd47ad32ea9cd0a3b6afc670f63a1bccede53ddebf1bd2bda1740b2dcafcdcdd81c8f3fad3ab9
SHA1 hash: 448c0ad474ada6871a96fe888e30a9cb802d2349
MD5 hash: c718a74fc1d71bcfe2a19abe8c40fbde
humanhash: paris-eight-bluebird-march
File name:c718a74fc1d71bcfe2a19abe8c40fbde
Download: download sample
Signature ModiLoader
Create hunting rule
File size:744'960 bytes
First seen:2022-06-01 11:24:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d1ae7301f899d475bee51a2be94917b (3 x Formbook, 2 x AveMariaRAT, 2 x ModiLoader)
ssdeep 12288:iuOVJ0xy2EhIlyuOQ4Yb5yTxKBLVWgrfbtVSX3x7FRS8HWAWMeM7jEOd/0:ipIyhIfD5yWJWgntVSn52bD/MMOd/0
Threatray 8'684 similar samples on MalwareBazaar
TLSH T1A9F47C22F2F0C536C723113D8D1BB9B85E75FD70E814A8462AECDDC8AA39E81775A153
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c718a74fc1d71bcfe2a19abe8c40fbde
Verdict:
Malicious activity
Analysis date:
2022-06-01 11:30:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/284f980a-245f-400d-9ad8-0514b5ba42be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276033/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.23597.12734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d7ca7c1-e0c1-4fb1-9d23-f96e6325a16f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004980
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected FormBook malware
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637476 Sample: rqAHfqNKnK Startdate: 01/06/2022 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->77 79 3 other signatures 2->79 9 rqAHfqNKnK.exe 1 23 2->9         started        process3 dnsIp4 53 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49729, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->53 55 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49728, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->55 57 3 other IPs or domains 9->57 49 C:\Users\Public\Libraries\Wysrbdgeps.exe, PE32 9->49 dropped 51 C:\Users\...\Wysrbdgeps.exe:Zone.Identifier, ASCII 9->51 dropped 103 Modifies the context of a thread in another process (thread injection) 9->103 105 Maps a DLL or memory area into another process 9->105 107 Sample uses process hollowing technique 9->107 109 2 other signatures 9->109 14 explorer.exe 9->14 injected 16 explorer.exe 9->16         started        19 cmd.exe 1 9->19         started        file5 signatures6 process7 signatures8 21 wscript.exe 18 14->21         started        25 Wysrbdgeps.exe 16 14->25         started        28 Wysrbdgeps.exe 16 14->28         started        71 Tries to detect virtualization through RDTSC time measurements 16->71 30 cmd.exe 1 19->30         started        32 conhost.exe 19->32         started        process9 dnsIp10 45 C:\Users\user\AppData\...\5M1logrv.ini, data 21->45 dropped 47 C:\Users\user\AppData\...\5M1logri.ini, data 21->47 dropped 83 Detected FormBook malware 21->83 85 Tries to steal Mail credentials (via file / registry access) 21->85 87 Tries to harvest and steal browser information (history, passwords, etc) 21->87 89 Tries to detect virtualization through RDTSC time measurements 21->89 34 cmd.exe 21->34         started        59 skavgg.db.files.1drv.com 25->59 61 onedrive.live.com 25->61 67 2 other IPs or domains 25->67 91 Antivirus detection for dropped file 25->91 93 Multi AV Scanner detection for dropped file 25->93 95 Machine Learning detection for dropped file 25->95 63 skavgg.db.files.1drv.com 28->63 65 onedrive.live.com 28->65 69 3 other IPs or domains 28->69 97 Modifies the context of a thread in another process (thread injection) 28->97 99 Maps a DLL or memory area into another process 28->99 101 Sample uses process hollowing technique 28->101 37 explorer.exe 2 161 28->37         started        39 conhost.exe 30->39         started        file11 signatures12 process13 signatures14 81 Tries to harvest and steal browser information (history, passwords, etc) 34->81 41 conhost.exe 34->41         started        43 explorer.exe 37->43         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 11:25:11 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lozw4o6h4sxz2xujvrcy5wrdojzlbd65kzb34iv7xxyfoyoo7r2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1469e7e8893827f956180775b581b110e8dc11995df78238a8280e61a7beb19b
ModiLoader
3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65
ModiLoader
5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75
ModiLoader
a45abe3d312cbd49eb1af3b5dc7f2447ad3de342dffd31fee15fd32a889881c1
ModiLoader
d267cdaa7f1c04a889cdd18f85c56d96dfdb5697cc1a81fa5a27d139a1f34e83
ModiLoader
e57c5a86edabac44bf073a9c49a7dbf9cae0b546d452c57ed57f08f8d338e2e2
ModiLoader
+ 8'674 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:b12m persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220601-nhp8csbhem/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Formbook Payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/b3ac01c3-a0fa-4b29-89d3-303ce8beea9d/
SH256 hash:
5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75
MD5 hash:
c718a74fc1d71bcfe2a19abe8c40fbde
SHA1 hash:
448c0ad474ada6871a96fe888e30a9cb802d2349
Link:
https://www.unpac.me/results/b3ac01c3-a0fa-4b29-89d3-303ce8beea9d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5bb36e3bc7e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 5bb36e3bc7e4af9d5e89ac458eda237272b08fdd5643be22bfbdf05761cefc75

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2220386/
Cape
Cape
https://www.capesandbox.com/analysis/276033/

Comments


Avatar
zbet commented on 2022-06-01 11:24:11 UTC

url : hxxp://194.31.150.173/utussf.exe