MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
SHA3-384 hash: f4732137b8f461ed9f7531dc4331760a8b411026f315b3b4b05950798a6693c6a5ab3b3e79dba359fe2a7de131f63112
SHA1 hash: 6465fe19c766e06d4d0049fdd5ada9cf3240ea24
MD5 hash: c16254c097c56d8fd2ac182457b4e9d4
humanhash: fruit-fourteen-stairway-fillet
File name:024152052651452451425.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:944'128 bytes
First seen:2022-11-09 17:36:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4fb953bb5f000ba4f4293301a4f02953 (3 x ModiLoader)
ssdeep 12288:qWdBhhjaODNTUl3qMMUHTf4zq+6LuLfxxH1ukXW2tj49UIOG1Rr3Srq0kRDiom:D7HjNUl3qMpzfnMxx1pXlRP7mMBeD
Threatray 20'059 similar samples on MalwareBazaar
TLSH T1AB15AE17A6F1CD37D1A72A3B8C4A7564AD3E7F201C18B40A6BE47F0ADF75A90760406B
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13097/50/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27e3e7baeaaaa52f (3 x ModiLoader)
Reporter malwarelabnet
Tags:exe ModiLoader xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
024152052651452451425.exe
Verdict:
Malicious activity
Analysis date:
2022-11-09 17:39:07 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/1b72ef91-178f-491b-adef-cf120446a7ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/331386/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.30414.20520.24408.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Searching for synchronization primitives
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/50633/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/636be5407662ecf1083978ad/reports/f4d07a81-300a-430e-bf9c-b39412381ca6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/753b0d26-8348-45aa-80ed-09a818ab8f98
Result
Threat name:
DBatLoader, FormBook, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1109550
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 742228 Sample: 024152052651452451425.exe Startdate: 09/11/2022 Architecture: WINDOWS Score: 100 76 newehmpage.webredirect.org 2->76 78 geoplugin.net 2->78 112 Snort IDS alert for network traffic 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for URL or domain 2->116 118 7 other signatures 2->118 12 024152052651452451425.exe 1 20 2->12         started        signatures3 process4 dnsIp5 86 ph-files.fe.1drv.com 12->86 88 oyvg6a.ph.files.1drv.com 12->88 90 onedrive.live.com 12->90 72 C:\Users\Public\Libraries\Jtlgtuyk.exe, PE32 12->72 dropped 74 C:\Users\...\Jtlgtuyk.exe:Zone.Identifier, ASCII 12->74 dropped 160 Creates multiple autostart registry keys 12->160 162 Writes to foreign memory regions 12->162 164 Allocates memory in foreign processes 12->164 166 2 other signatures 12->166 17 wscript.exe 12->17         started        file6 signatures7 process8 signatures9 104 Modifies the context of a thread in another process (thread injection) 17->104 106 Maps a DLL or memory area into another process 17->106 108 Tries to detect virtualization through RDTSC time measurements 17->108 110 Queues an APC in another process (thread injection) 17->110 20 explorer.exe 17->20 injected process10 dnsIp11 80 socialpearmarketing.com 162.241.226.28, 49725, 49737, 80 UNIFIEDLAYER-AS-1US United States 20->80 82 maxproductdji.com 195.110.124.133, 49733, 49745, 80 REGISTER-ASIT Italy 20->82 84 20 other IPs or domains 20->84 136 System process connects to network (likely due to code injection or exploit) 20->136 138 Performs DNS queries to domains with low reputation 20->138 140 Uses ipconfig to lookup or modify the Windows network settings 20->140 24 wscript.exe 20->24         started        28 Jtlgtuyk.exe 16 20->28         started        31 ipconfig.exe 20->31         started        33 Jtlgtuyk.exe 20->33         started        signatures12 process13 dnsIp14 70 C:\Users\user\AppData\Local\Temp\1b1xm.exe, PE32 24->70 dropped 142 Tries to steal Mail credentials (via file / registry access) 24->142 144 Creates multiple autostart registry keys 24->144 146 Tries to harvest and steal browser information (history, passwords, etc) 24->146 156 2 other signatures 24->156 35 1b1xm.exe 24->35         started        39 cmd.exe 24->39         started        41 cmd.exe 24->41         started        92 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49711, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->92 94 ph-files.fe.1drv.com 28->94 100 2 other IPs or domains 28->100 148 Multi AV Scanner detection for dropped file 28->148 150 Writes to foreign memory regions 28->150 152 Allocates memory in foreign processes 28->152 158 2 other signatures 28->158 43 colorcpl.exe 2 28->43         started        154 Tries to detect virtualization through RDTSC time measurements 31->154 96 192.168.2.1 unknown unknown 33->96 98 ph-files.fe.1drv.com 33->98 102 2 other IPs or domains 33->102 45 wscript.exe 33->45         started        file15 signatures16 process17 file18 66 C:\Users\user\AppData\...\AAkj.exe (copy), PE32 35->66 dropped 120 Machine Learning detection for dropped file 35->120 122 Injects a PE file into a foreign processes 35->122 47 1b1xm.exe 35->47         started        50 cmd.exe 35->50         started        52 cmd.exe 35->52         started        54 cmd.exe 35->54         started        68 C:\Users\user\AppData\Local\Temp\DB1, SQLite 39->68 dropped 124 Tries to harvest and steal browser information (history, passwords, etc) 39->124 56 conhost.exe 39->56         started        126 Uses schtasks.exe or at.exe to add and modify task schedules 41->126 58 conhost.exe 41->58         started        128 Modifies the context of a thread in another process (thread injection) 43->128 130 Maps a DLL or memory area into another process 43->130 132 Sample uses process hollowing technique 43->132 134 Tries to detect virtualization through RDTSC time measurements 43->134 signatures19 process20 signatures21 168 Installs a global keyboard hook 47->168 60 conhost.exe 50->60         started        62 schtasks.exe 50->62         started        64 conhost.exe 52->64         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-09 08:08:24 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n76mkbq7xl5f53xhk2ycsllozayqsyr3pbvy4l24uxwl3evic3aa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4a71e4db2ded6a9e2418c5a47506cc2a0b42feb42dc32692e8ef3ee3c959b3a6
ModiLoader
57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb
ModiLoader
62422d7709489bd4bfe5e5feb34bfd22f0a91269b9b8e8246e407dd597d3f79a
ModiLoader
770aee06bb2c48271eaaa6af3d44ac3c590f1a372007d1c92591ae65c053e682
ModiLoader
8545a266a50d8b5dc65790c7ce2b6d74f89641c731d53b44bc5b89cd143c3303
ModiLoader
97672b7a0e6ab5bdc206aecdc117fd9ec7529db666f9c30764fa0d4e31fa48bb
ModiLoader
b47cf0eaed7e3798e77eaf01aac5783f2c03f7db7802a5215523d4ccdc631bc5
ModiLoader
d141b9e994a78ea1081fd3ea0768e3c7f01d3f570910923a5ace448b98e63e14
ModiLoader
e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5
ModiLoader
+ 20'049 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:uj3c loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221109-v65fhsagh4/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
3f17ebba5a2529b8794c6e86f2b124eacc332692ccdb8acfc6ebf8829c5889e7
MD5 hash:
990016aba0656d25f84a329e5a48c50b
SHA1 hash:
f13ea53aaa58d65bd696da99836dd5473f290536
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/993b4459-0dec-4a79-8fc8-04f0072ca168/
Parent samples :
de8962c07eba5fdd819df024cf7a88ccbec0084913e782182dc0392338f0243e
a35981f164ad40d52d9c1f665d0cd9506abcefec984fd00ec21a7a83aeb25024
483919bfc0da6d92481d70ca620e1ee0aebb3d81931d88a894ac32328e8808e8
cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8
25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76
3a61c9b0b4096cef95698ca41594941955d36e857c7b42f8d84962272f850115
4cf4313d499e9400a60a0961344e6df29acc85e6d62e18c118bef1493f801e53
f36b68e818ef0e90919221028f143fe314f463f418f550c707e1ca5fc632ad9c
f90adf7f130b1deacd0b940e101f471efeb9c670e848cd2a7e77152db0455298
580f58b0bcc5fdd1b9e1237ec9d6a58b3de0f532d92b0ef49314bcc05442272a
0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0
6d22199bcb9c6a15a14e129c4c30ad4aa19148a9b1aac32531d1dfa19a40f671
2bfbbbf3105253503802f18a048d3b36954efeb97ecb9ab9556dffa98bfb832a
e9ca640bda7dd97f7d0c9d1b810a7704144cfba14ec0271ead9e8dd6636c89d0
3f2a62eed0aff1007bac6177aed82a1722bb6b63b1d49fa87153199cd8e8d5f1
b5b7bca8e148356c32d008301fc0209f003ac123c0d752e685f87a66e81ac64b
b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92
da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3
97672b7a0e6ab5bdc206aecdc117fd9ec7529db666f9c30764fa0d4e31fa48bb
3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b
e56fd483ef8e5da7ce843288c45d4af517bf868c18ddeba08da40814b8b0a60e
754025dc4effece12c7c7b3041d2f22050b442251ef1f25dc425f685a277e0e6
1d160af25e96ec1d33d50216a3eafdc16a1df90a6c62929e25f626dae138015b
f6ddc63173d134db79db880c7f5b338987f31ddd36cfcb27cf15e3bb08a507bb
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
63419dd22896ba6ddb1710fd35ae0b64506c8a80c62b59ba33979d375737c2ca
22655d19fee46d3578c4425d75f5633cb06b353b7383a300962d46289b6ba24d
7a9c39d98ace102b6fa94aafaa6bd652b17b247da09bee12e84fca6302b08e19
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
0aa8a9d5f174dc2d70924c909f6f1f1336152de536a729931a1acfa2500fb2f5
SH256 hash:
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
MD5 hash:
c16254c097c56d8fd2ac182457b4e9d4
SHA1 hash:
6465fe19c766e06d4d0049fdd5ada9cf3240ea24
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/993b4459-0dec-4a79-8fc8-04f0072ca168/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6ffcc5061fba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/331386/

Comments