MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa840ddac1cbded575db7d3ee2d1e3102fd1c35d0a709f42209543f9913e438f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa840ddac1cbded575db7d3ee2d1e3102fd1c35d0a709f42209543f9913e438f
SHA3-384 hash: 302c22e146a1ae47b113ebe59762d1c75f672b0295d42677cd4bc1f319282e1d34269dd9022edcb015849ce34a22c341
SHA1 hash: b2942c499632593cface5c1fd18c12105656bf75
MD5 hash: 10419c97cde1aa8bad4e33279a15f7f8
humanhash: wisconsin-crazy-sink-juliet
File name:offer order.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'834'096 bytes
First seen:2020-08-17 13:59:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 925501b726051625fb692aeb5906e244 (7 x ModiLoader, 2 x RemcosRAT, 1 x NetWire)
ssdeep 24576:fMCc4FpC8Fkjb0jztrXF0rEuZgMlXIqOUArsqmyiSCyiSVUJEq7zvVJf9w9:f3h0rjZVhlZfyiSCyiSV/CznFw9
Threatray 2'302 similar samples on MalwareBazaar
TLSH BE85C0E2F2D1F13EC3BA5AF7CC796F441514BE4126149C8A61F53C6D8A366C0B8E325A
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing ModiLoader:

HELO: tur2.hipotenus.com
Sending IP: 213.159.30.161
From: amr.hussein <Limitedsidco@suhuf.net.sa>
Subject: AW: An-200580
Attachment: 07-20-2020_06-59-10-PM.zip (contains "offer order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47079/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/433691
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 269229 Sample: offer order.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 33 www.myultimateleadgenerator.com 2->33 35 www.maturebridesdressguide.com 2->35 37 maturebridesdressguide.com 2->37 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected FormBook 2->47 49 4 other signatures 2->49 9 offer order.exe 14 2->9         started        signatures3 process4 dnsIp5 39 cdn.discordapp.com 162.159.130.233, 443, 49737 CLOUDFLARENETUS United States 9->39 41 discord.com 162.159.138.232, 443, 49736 CLOUDFLARENETUS United States 9->41 59 Writes to foreign memory regions 9->59 61 Allocates memory in foreign processes 9->61 63 Creates a thread in another existing process (thread injection) 9->63 65 Injects a PE file into a foreign processes 9->65 13 ieinstal.exe 9->13         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 13->67 69 Maps a DLL or memory area into another process 13->69 71 Sample uses process hollowing technique 13->71 73 Queues an APC in another process (thread injection) 13->73 16 explorer.exe 3 13->16 injected process9 dnsIp10 31 www.sayagayrimenkul.net 16->31 19 svchost.exe 1 17 16->19         started        23 ieinstal.exe 16->23         started        25 ieinstal.exe 16->25         started        process11 file12 27 C:\Users\user\AppData\...\0L9logrv.ini, data 19->27 dropped 29 C:\Users\user\AppData\...\0L9logri.ini, data 19->29 dropped 51 Detected FormBook malware 19->51 53 Tries to steal Mail credentials (via file access) 19->53 55 Tries to harvest and steal browser information (history, passwords, etc) 19->55 57 3 other signatures 19->57 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa840ddac1cbded575db7d3ee2d1e3102fd1c35d0a709f42209543f9913e438f/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 05:02:31 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkca3wwbzppnk5o3pu7ofupdcax5dq25bjyj6qrasvb7tej6iohq._file
Verdict:
malicious
Similar samples:
1a6ed8b38376300f4f5a104c20726e2d90eb9e1bc26055596617f3ee2a28a350
ModiLoader
35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5
ModiLoader
45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf
ModiLoader
609d299d6ea139c7d7e659274e10c9ed230b832caba065d352738a18db41b638
ModiLoader
61e1401e8c06b9d1c5c15155a7ef7559040c9d8fbb26e5d11c6dcaf0aa191e4d
ModiLoader
62129dc8193a75313e61a1feb2146bd798ec2c84b12d99aac6560cdb7ee9e309
ModiLoader
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
ModiLoader
9b9931b133a5a15ee73de2ffd8b6f2f7b80e834cf4a3cf17f030c479b21abf9b
ModiLoader
c97112bbfbe643fbde2c2b857761d81d37ed9c7619c0093443800c4ba46a4554
ModiLoader
cbb6d89187847aab1fcff6b5d832ea80bca30bfe5520702133cab83335392ead
ModiLoader
+ 2'292 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200817-cmrgeeph7a/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.info/n7ak/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa840ddac1cbded575db7d3ee2d1e3102fd1c35d0a709f42209543f9913e438f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip 804ec4bbfb8db19d04fdcc27857e14b368f83ed892cebbbbff9d92bb843fe476

ModiLoader

Executable exe aa840ddac1cbded575db7d3ee2d1e3102fd1c35d0a709f42209543f9913e438f

(this sample)

  
Dropped by
MD5 5cae9e7a03d9e55f2cb1632da48700b0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 804ec4bbfb8db19d04fdcc27857e14b368f83ed892cebbbbff9d92bb843fe476
Cape
Cape
https://www.capesandbox.com/analysis/47079/

Comments