MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7b60cdc8b19e55d3977250a9b64c254afd7e78bb1ffd8ec44dca4000b7da52b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7b60cdc8b19e55d3977250a9b64c254afd7e78bb1ffd8ec44dca4000b7da52b
SHA3-384 hash: a3e405d5a526acaaf481b2b19ee5b96c661dcd85e1a7c5777c9cc49c0bf691b99e4e33f2e17d6b9fce945c59f4f1b852
SHA1 hash: 4ca88fe6340a20fbdbb84bace746347ae5200059
MD5 hash: 990ac5ec3a883e92ec8272d5545ceb14
humanhash: xray-arizona-jupiter-shade
File name:Tvoz_f.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:625'130 bytes
First seen:2021-04-01 07:28:25 UTC
Last seen:2021-04-02 14:15:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9398ad27bcd660eea52efe1a444cb9a2 (1 x ModiLoader, 1 x FormBook)
ssdeep 12288:24E6Ax8b3EAWv/re0t//WxpMLmYXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXD:2xu3EAaD3gWLdXiL4Ujp+
Threatray 4'500 similar samples on MalwareBazaar
TLSH FAD49E26B2E14476D1B3297D8C1BB7A59816BE513DF838463BF02D4C9B3E3A0B92C157
Reporter abuse_ch
Tags:exe ModiLoader


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.gozenholdings.com
Sending IP: 185.121.120.144
From: WoodHouse Marcela<marcela@gozenholdings.com>
Subject: Re:Payment Confirmation
Attachment: Payment.img (contains "Tvoz_f.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tvoz_f.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 07:36:05 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/9a0e1b5c-81e6-455a-b17e-bf9a576b51cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130531/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661798
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Steal Google chrome login data
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379835 Sample: Tvoz_f.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 11 other signatures 2->71 10 Tvoz_f.exe 1 19 2->10         started        process3 dnsIp4 57 cdn.discordapp.com 162.159.130.233, 443, 49709, 49710 CLOUDFLARENETUS United States 10->57 49 C:\Users\Public\Libraries\Tvozxt\Tvozxt.exe, PE32 10->49 dropped 103 Creates multiple autostart registry keys 10->103 105 Writes to foreign memory regions 10->105 107 Creates a thread in another existing process (thread injection) 10->107 109 Injects a PE file into a foreign processes 10->109 15 ieinstal.exe 10->15         started        file5 111 System process connects to network (likely due to code injection or exploit) 57->111 signatures6 process7 signatures8 113 Modifies the context of a thread in another process (thread injection) 15->113 115 Maps a DLL or memory area into another process 15->115 117 Sample uses process hollowing technique 15->117 119 Queues an APC in another process (thread injection) 15->119 18 explorer.exe 2 15->18 injected process9 dnsIp10 51 www.openupfuture.com 18->51 53 www.baoxinsm.com 18->53 55 openupfuture.com 34.102.136.180, 49728, 49729, 49730 GOOGLEUS United States 18->55 81 System process connects to network (likely due to code injection or exploit) 18->81 22 chkdsk.exe 1 18 18->22         started        26 Tvozxt.exe 13 18->26         started        29 Tvozxt.exe 14 18->29         started        31 5 other processes 18->31 signatures11 process12 dnsIp13 45 C:\Users\user\AppData\...\20Llogrv.ini, data 22->45 dropped 47 C:\Users\user\AppData\...\20Llogri.ini, data 22->47 dropped 83 Detected FormBook malware 22->83 85 Tries to steal Mail credentials (via file access) 22->85 87 Creates multiple autostart registry keys 22->87 101 3 other signatures 22->101 33 cmd.exe 2 22->33         started        59 cdn.discordapp.com 26->59 89 Multi AV Scanner detection for dropped file 26->89 91 Machine Learning detection for dropped file 26->91 93 Writes to foreign memory regions 26->93 37 ieinstal.exe 26->37         started        61 192.168.2.1 unknown unknown 29->61 63 cdn.discordapp.com 29->63 95 Creates a thread in another existing process (thread injection) 29->95 97 Injects a PE file into a foreign processes 29->97 39 ieinstal.exe 29->39         started        99 Tries to detect virtualization through RDTSC time measurements 31->99 file14 signatures15 process16 file17 43 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->43 dropped 73 Tries to harvest and steal browser information (history, passwords, etc) 33->73 41 conhost.exe 33->41         started        75 Modifies the context of a thread in another process (thread injection) 37->75 77 Maps a DLL or memory area into another process 37->77 79 Sample uses process hollowing technique 37->79 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7b60cdc8b19e55d3977250a9b64c254afd7e78bb1ffd8ec44dca4000b7da52b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 07:29:17 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w63azxeldhsv2olxeufjwzgcksx5pz4lwh75r3ce3ssaac35uuvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d03cbad439f831d0cdd34e444ef7d054fc46370025a2ee70a29abc50a178cd4
ModiLoader
36cf8d190c6caaa41fdf4b836bf9eecb204fb404bff7664aea1a13b7d08a7595
ModiLoader
5601db85e43cf789bf5e9abb817a272782ea83fd6901c45fc07bbd453cb37fbc
ModiLoader
5e8ad6fd72d00c63a90eb501e353e2b5cb7fe122ad55d71a6d6e0fcf998ef910
ModiLoader
6a4762f9c862a1ee20e00a7706f5b7dd6f12575513efdb09ea36adbec1ee202f
ModiLoader
7423b3e522234619e943c9ad0257efa4159a046bba6ea40e7545355d80424fe5
ModiLoader
a1db821171c7bd2950fad26899fbbc88c787f0cc7d869ee9b29f86bf09ebb92b
ModiLoader
cc0c4f8f34907be8839ae185fa40e5d7ad5279b70067a3279501d18483b590a7
ModiLoader
db351de507bfb075469e69ffe4859653ca3b3d0729c0236a5d3f8fd935e01cde
ModiLoader
e0aba25d9fdf71581980abe3e909668755925ac762b61343c0ab9089471af296
ModiLoader
+ 4'490 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210401-kxd17xlehx/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.electronicservicesonline.com/jsyp/
Unpacked files
SH256 hash:
68247adf9c5d5961c0fc61a2af5bbfa7da927f36c0a9ae05003599b4b27e38b7
MD5 hash:
1b8ca94170420aee9e1609e419d7c2b0
SHA1 hash:
7c04b1b128246ab1421ca34fd7723a4a027d8510
Link:
https://www.unpac.me/results/eccb2e0a-ddec-45ab-87ec-053d9c9b7cc5/
SH256 hash:
b7b60cdc8b19e55d3977250a9b64c254afd7e78bb1ffd8ec44dca4000b7da52b
MD5 hash:
990ac5ec3a883e92ec8272d5545ceb14
SHA1 hash:
4ca88fe6340a20fbdbb84bace746347ae5200059
Link:
https://www.unpac.me/results/eccb2e0a-ddec-45ab-87ec-053d9c9b7cc5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7b60cdc8b19e55d3977250a9b64c254afd7e78bb1ffd8ec44dca4000b7da52b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

img 1e5d6b0ee06ea48950a4c8b9ae187bdae33e6d12b01458af9aeeb5f0b8c521fb

ModiLoader

Executable exe b7b60cdc8b19e55d3977250a9b64c254afd7e78bb1ffd8ec44dca4000b7da52b

(this sample)

  
Dropped by
MD5 511d7c7698bb3ca5f22326828bbd314a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1e5d6b0ee06ea48950a4c8b9ae187bdae33e6d12b01458af9aeeb5f0b8c521fb
Cape
Cape
https://www.capesandbox.com/analysis/130531/

Comments


Avatar
V3nkat commented on 2021-04-05 19:32:48 UTC

Delphi based