MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8636e1019ae81fce7647c4f1804bea7924d8dadeac118926e4836f19226fbe32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8636e1019ae81fce7647c4f1804bea7924d8dadeac118926e4836f19226fbe32
SHA3-384 hash: 5669b4359bef5c1a5f8f8a147ab513ee7bc8ec6326e8ee7b84b58186542bd9d2ccc88f5650d7f3172271382da50e7b43
SHA1 hash: d127d120edc04208d2ff9f2e74be068826e6cadd
MD5 hash: dfc47b08fd039e6a182bbcbbe80e416f
humanhash: whiskey-helium-vegan-spaghetti
File name:Scan 1217 2020 pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'097'216 bytes
First seen:2020-12-17 09:03:11 UTC
Last seen:2020-12-17 10:29:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4a4ac23de520d5a5ca10d423dbeaba1 (3 x ModiLoader, 1 x Formbook)
ssdeep 24576:2Ghbt7JhOKL5nWwqpnsjrCJAA0AO7N97KK01:2Gb7pS/3pe7KK
Threatray 3'251 similar samples on MalwareBazaar
TLSH E035CF6AA3E10137E0622D39DD7F9355A81B3E3D1D1854C2F7E4AF2CDF3969138162A2
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: domkowom.com
Sending IP: 46.101.113.156
From: Fabrizio Morgagni <f.morgagni@gramellini.com> <info@wz.renfells.cf>
Subject: Re: Proforma Invoice (Payment)
Attachment: Scan 1217 2020 pdf.zip (contains "Scan 1217 2020 pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan 1217 2020 pdf.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 09:33:40 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/f1664023-b5d1-452d-96b3-74f46850fe19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.DealPly.th.14579.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/565144
Signature
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331657 Sample: Scan 1217 2020 pdf.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 96 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 2 other signatures 2->48 9 Scan 1217 2020 pdf.exe 2->9         started        process3 dnsIp4 26 cdn.discordapp.com 162.159.133.233, 443, 49726 CLOUDFLARENETUS United States 9->26 28 discord.com 162.159.137.232, 443, 49725 CLOUDFLARENETUS United States 9->28 50 Modifies the context of a thread in another process (thread injection) 9->50 52 Maps a DLL or memory area into another process 9->52 54 Sample uses process hollowing technique 9->54 56 Queues an APC in another process (thread injection) 9->56 13 explorer.exe 9->13 injected signatures5 process6 dnsIp7 30 www.mbenguist.com 217.160.0.51, 49766, 80 ONEANDONE-ASBrauerstrasse48DE Germany 13->30 32 www.wwmllt.com 23.107.183.148, 49770, 80 LEASEWEB-USA-LAX-11US United States 13->32 34 4 other IPs or domains 13->34 58 System process connects to network (likely due to code injection or exploit) 13->58 17 explorer.exe 13->17         started        20 autofmt.exe 13->20         started        signatures8 process9 signatures10 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Tries to detect virtualization through RDTSC time measurements 17->40 22 cmd.exe 1 17->22         started        process11 process12 24 conhost.exe 22->24         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8636e1019ae81fce7647c4f1804bea7924d8dadeac118926e4836f19226fbe32/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 06:24:57 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qy3ocam25ap445shytyyas7kpesnrww6vqiysjxeqnxrsitpxyza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
288e38a633a49c3a30c842250ef331f22201b2acee124e9b108d498b28cb2ba3
ModiLoader
37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b
ModiLoader
5248643a130c832416245ea6b33ab3724a81c4e4a36b2ea424dd1a5fc1dd7ac2
ModiLoader
798fa0661cf2b36f6d0a4442ad217f36549a3398b7c7a885c683de0b8899b237
ModiLoader
87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e
ModiLoader
894f564c6c023c4baf66d72f13578bbfcd992b21f42f3f732887933d438ddbb7
ModiLoader
95eaab8711de8becc8c2625b90d9f44f5d6c50505a8939dfc3528adada49ed4d
ModiLoader
a7bed76e3e3a297b0dd90fc1ab64bd6799c3dba188934f995b1a210781657280
ModiLoader
b3420cc90cce972045db0377a5c383ce049652650946b0c84f27280a7dbd1e38
ModiLoader
d8eca36ecff579ceffbd778ab8c8949a94d4967e1c0965988b2a68671f1915ef
ModiLoader
+ 3'241 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader rat spyware stealer trojan
Link:
https://tria.ge/reports/201217-haca5pmnga/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
ModiLoader First Stage
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.lupipins.com/cxs/
Unpacked files
SH256 hash:
8636e1019ae81fce7647c4f1804bea7924d8dadeac118926e4836f19226fbe32
MD5 hash:
dfc47b08fd039e6a182bbcbbe80e416f
SHA1 hash:
d127d120edc04208d2ff9f2e74be068826e6cadd
Link:
https://www.unpac.me/results/d22ea0c4-5263-4b62-9142-e80d6e2325fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8636e1019ae81fce7647c4f1804bea7924d8dadeac118926e4836f19226fbe32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip e8ef88c6bd7acb858b5c5bc67aec79fb9dadd078fe83cb644d6b48d235cd5826

ModiLoader

Executable exe 8636e1019ae81fce7647c4f1804bea7924d8dadeac118926e4836f19226fbe32

(this sample)

  
Dropped by
MD5 c8a9a7a39f60c22be2b13ea396fd9fd4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e8ef88c6bd7acb858b5c5bc67aec79fb9dadd078fe83cb644d6b48d235cd5826

Comments