MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f4f2ba2347cd4e83db8bfcd3c57849011ce6508b2f10cb367caff3d0626fba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModernLoader

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	7f4f2ba2347cd4e83db8bfcd3c57849011ce6508b2f10cb367caff3d0626fba7
SHA3-384 hash:	7cc7e5cbd377c8c5ece6582081809d4162c933263584b9ffa745faaae4728f6cef6a87ede4bf6788e14d6f3bcc39503d
SHA1 hash:	97ba116c999c99e8ffe70a27f013ef648ad425d4
MD5 hash:	a20c862aee6c35614e1bade90e3645d2
humanhash:	sodium-mexico-foxtrot-beer
File name:	x.png
Download:	download sample
Signature	ModernLoader Create hunting rule
File size:	225'688 bytes
First seen:	2023-04-07 21:16:43 UTC
Last seen:	2023-04-07 21:34:01 UTC
File type:	ps1
MIME type:	text/plain
ssdeep	6144:pIJhgDkagggc1dReKtulYJjNbZiDGWWlYJd:pwhpc1dReKtJHiP
TLSH	T18B24B4F8B8A7D9D4F50B9C8065ACFDA20D3139F3A9C90E21032D65049FE9E956F4858F
Reporter	Anonymous
Tags:	ModernLoader ps1

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Downloader.ModernLoader-9963696-2

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

modernloader powershell

Link:

https://www.filescan.io/uploads/643088502254dc891204b2f4/reports/c0ab0eeb-ad2f-4712-9b73-2564edc7b1e6/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/7f4f2ba2347cd4e83db8bfcd3c57849011ce6508b2f10cb367caff3d0626fba7

Result

Verdict:

UNKNOWN

Result

Threat name:

ModernLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1210532

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Found C&C like URL pattern

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected ModernLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f4f2ba2347cd4e83db8bfcd3c57849011ce6508b2f10cb367caff3d0626fba7/

Threat name:

Win32.Dropper.Generic

Status:

Suspicious

First seen:

2023-04-07 20:28:00 UTC

File Type:

Text (PowerShell)

AV detection:

4 of 34 (11.76%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5hsxiruptkoqpnyx7gtyv4esai44ziiwlyqzm3hzl7t2brg7otq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7f4f2ba2347cd4e83db8bfcd3c57849011ce6508b2f10cb367caff3d0626fba7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_VBS_in_ISO Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects ISO files that contain VBS functions
Reference:	Internal Research