MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9
SHA3-384 hash: 14adbb5555005eef0dcc1f6464d605b63ea9cd8b489945e898cc42a791b168e0ffdafccb8b43d68c724ace00a9c69f5c
SHA1 hash: e65afb4199824d197d41c33f9efb0585d66ed73f
MD5 hash: 86b2faf74c9471d9b99167155bd80069
humanhash: ohio-pip-timing-speaker
File name:86b2faf74c9471d9b99167155bd80069.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'121'472 bytes
First seen:2020-12-18 16:31:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0156661a5d50a079927af811abf3d20d (2 x ModiLoader)
ssdeep 24576:JgHWSLu547HidIqWnsjrCJAA0AO7N97KKW23:JgpeY/3pe7KKj
Threatray 3'323 similar samples on MalwareBazaar
TLSH F535CF6AA7D10137E1622D3ADD7F9355A81B3E3D1D085483F7A4BF2C9F396C138162A2
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
86b2faf74c9471d9b99167155bd80069.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 16:37:33 UTC
Tags:
trojan formbook stealer sinkhole
Link:
https://app.any.run/tasks/5869d327-99b1-42f5-a306-256eee9b2b67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108438/
Detection(s):
SecuriteInfo.com.Fareit-FZO86B2FAF74C94.2180.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566466
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to download HTTP data from a sinkholed server
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332317 Sample: YT0nfh456s.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 33 www.herbmedia.net 2->33 35 www.beamsubway.com 2->35 43 Tries to download HTTP data from a sinkholed server 2->43 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 5 other signatures 2->49 9 YT0nfh456s.exe 2->9         started        signatures3 process4 dnsIp5 37 discord.com 162.159.128.233, 443, 49715 CLOUDFLARENETUS United States 9->37 39 cdn.discordapp.com 162.159.130.233, 443, 49716 CLOUDFLARENETUS United States 9->39 57 Writes to foreign memory regions 9->57 59 Allocates memory in foreign processes 9->59 61 Injects a PE file into a foreign processes 9->61 13 ieinstal.exe 9->13         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 13->63 65 Maps a DLL or memory area into another process 13->65 67 Sample uses process hollowing technique 13->67 69 Queues an APC in another process (thread injection) 13->69 16 explorer.exe 3 1 13->16 injected process9 dnsIp10 27 6983ylc.com 102.134.35.144, 49741, 49754, 80 sun-asnSC South Africa 16->27 29 cleitstaapps.com 162.241.60.214, 49749, 49770, 80 UNIFIEDLAYER-AS-1US United States 16->29 31 23 other IPs or domains 16->31 41 System process connects to network (likely due to code injection or exploit) 16->41 20 ipconfig.exe 1 16->20         started        23 ieinstal.exe 16->23         started        25 ieinstal.exe 16->25         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53 55 Tries to detect virtualization through RDTSC time measurements 20->55
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 15:08:31 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtnqiwucll73je5z5tzbkuchtfx6fxlpqxnsnj4qodd726h2mduq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a909cbfd2a1c352fbd9eb58f0623302fde6975668631cf5b0b294716b91b189
ModiLoader
1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4
ModiLoader
2919a5d96ade5e0f2967d98a7b49b1f612435ed6a6b3843424a8c1e99ea0e9ab
ModiLoader
29c9884d02cba2c6ab0a72af878c9f1c2768d96b912f5847608fc040f5f98083
ModiLoader
2bda7325843b48687e064e2abeeef3f5eae5865fceccbbb0ad5229fcf624bf40
ModiLoader
549de81621fd5e577a164009e14fe791e2099b1a985fe37739801fdf156800b8
ModiLoader
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
ModiLoader
7052f92dce4eaee0a7a7046c6529d6ebc79ddb2ee6e487cf34c6c7cd5dfea6ee
ModiLoader
a80553f1c2dcc35c48adf765bbb4f695d9d3c47d57ab0e47e4e8118588466731
ModiLoader
e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b
ModiLoader
+ 3'313 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader family:xloader loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201218-w1dz2ql1ls/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Adds Run key to start application
Adds policy Run key to start application
ModiLoader First Stage
Xloader Payload
Formbook
ModiLoader, DBatLoader
Xloader
Malware Config
C2 Extraction:
http://www.herbmedia.net/csv8/
Unpacked files
SH256 hash:
b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9
MD5 hash:
86b2faf74c9471d9b99167155bd80069
SHA1 hash:
e65afb4199824d197d41c33f9efb0585d66ed73f
Link:
https://www.unpac.me/results/f910180d-5883-4e13-abe2-238d1a368ddc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/898668/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108438/

Comments