MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059
SHA3-384 hash: 2c57dc87c8a7e367b8ca48f74dd72356886453f0b15c2dc574745a1b61ee43d79142414be70a966707b563070179c0dd
SHA1 hash: 92d4018733461c97a4be10542ce4ec73bab4cca7
MD5 hash: 01651d9396b55bffaeedefbaaef2a481
humanhash: oregon-charlie-hamper-michigan
File name:Scan 1292020 pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'044'480 bytes
First seen:2020-12-09 10:44:06 UTC
Last seen:2020-12-09 14:39:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b533f6ccb714ea0a0f83e1cff60dbfe0 (8 x ModiLoader, 2 x RemcosRAT)
ssdeep 24576:DklbZpRNhPXNH/yLjaKuOflg/E7D/cX+2hu0a:DkhRXNNKuOtgg/2vhux
Threatray 4'541 similar samples on MalwareBazaar
TLSH 2A25B0E3F2D0453EF13605749D47857AA824EE192E8E984627BE2E0C4F7D5C7380B99B
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: fifa.com
Sending IP: 45.127.62.13
From: Fatma <fatma@hacilar-et.de> <gerhard@larasanders.cf>
Subject: Re: Payment Confirmation Hacilar Miete BGM
Attachment: Scan 1292020 pdf.iso (contains "Scan 1292020 pdf.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan 1292020 pdf.exe
Verdict:
Malicious activity
Analysis date:
2020-12-09 14:50:55 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/ab974ad8-fba2-4a48-843a-250c79ccd356

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107436/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558962
Signature
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328581 Sample: Scan 1292020 pdf.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Detected unpacking (changes PE section rights) 2->42 44 4 other signatures 2->44 10 Scan 1292020 pdf.exe 14 2->10         started        process3 dnsIp4 34 cdn.discordapp.com 162.159.134.233, 443, 49720 CLOUDFLARENETUS United States 10->34 36 discord.com 162.159.136.232, 443, 49719 CLOUDFLARENETUS United States 10->36 54 Injects a PE file into a foreign processes 10->54 14 Scan 1292020 pdf.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 freeurl.abc188.com 103.120.80.6, 49743, 80 WEST263GO-HKWest263InternationalLimitedHK Hong Kong 17->28 30 server1.gathermix.com 200.234.189.225, 49742, 80 MLTelecomBR Brazil 17->30 32 8 other IPs or domains 17->32 46 System process connects to network (likely due to code injection or exploit) 17->46 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 10:45:09 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkvbkcns67pqcyglshgjvdzv6ofafhvhjbnclxvktnciwhldkbmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
ModiLoader
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
ModiLoader
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
ModiLoader
1eb0b62e6d0c2d36c2e5ca882b6122a0f462bb3e0b58222d477558b4dd72c2f4
ModiLoader
5248643a130c832416245ea6b33ab3724a81c4e4a36b2ea424dd1a5fc1dd7ac2
ModiLoader
7a39513f428374b50a41c8d30a1704906270005c4675db03d810f9970fd96bbf
ModiLoader
894f564c6c023c4baf66d72f13578bbfcd992b21f42f3f732887933d438ddbb7
ModiLoader
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
ModiLoader
d166ce232dd96e2633f4913d3e964dadedf76ff88a7c998edc7cd479defc6a90
ModiLoader
f1ca0286fa691166ab71220ee3243bcfa4e73b17247e382edaf6c1590d50d3a2
ModiLoader
+ 4'531 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201209-vyl6kw2a32/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.lupipins.com/cxs/
Unpacked files
SH256 hash:
8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059
MD5 hash:
01651d9396b55bffaeedefbaaef2a481
SHA1 hash:
92d4018733461c97a4be10542ce4ec73bab4cca7
Link:
https://www.unpac.me/results/9767035a-4506-4cd6-b3d3-098fc2b47f60/
SH256 hash:
8527e112164f0d41dc9cc0e8a432c0e38ee3466f6ad7edbe344ec5893d74d319
MD5 hash:
162c631275dbf152dcc93e8b5f97d43b
SHA1 hash:
5d04a8aed6b029256d1c0be87b5593801e49c80d
Link:
https://www.unpac.me/results/9767035a-4506-4cd6-b3d3-098fc2b47f60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

iso 18c5b2e2dab8890cb6bc3c15408b3a8ab0d0dddf4771e81751ee604bd428778a

ModiLoader

Executable exe 8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059

(this sample)

  
Dropped by
MD5 152cc156ca5e9e7260fc38c882ba00ef
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107436/
  
Dropped by
SHA256 18c5b2e2dab8890cb6bc3c15408b3a8ab0d0dddf4771e81751ee604bd428778a

Comments