MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92
SHA3-384 hash: 9e11800651e858d07aae1af6cdebf1e94cc07b96fba64f3386392d7b3471bcd4aec65eb8b136e54c605b873f541e77ee
SHA1 hash: 2119de3dd810ab6edb5fd99cccfc85afeee38c3d
MD5 hash: 8945b0881e6509f485f7a0a2561bc1e3
humanhash: diet-lion-ten-hamper
File name:SecuriteInfo.com.Win32.PWSX-gen.13488.24383
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'024'000 bytes
First seen:2022-11-07 10:10:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b47ec091df0d8f01946a02b8629932fe (3 x ModiLoader, 1 x Formbook)
ssdeep 24576:tsa4byzdWezM7KabcIo6UKb8SDxOTeCYSfI5b2sJxHJHtuSCg/c3kCv/oMw2n+OL:tZeRo6UXdAoMMMMMMMMMMMMMMMMMS
TLSH T19025DF56B2807437E1621E38D94AE336583BBF341A2C5C0666F07D5EAFFA2D23D1914B
TrID 22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
20.6% (.SCR) Windows screen saver (13097/50/3)
16.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1232c8acecd0c4c4 (7 x ModiLoader, 1 x RemcosRAT, 1 x Formbook)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.13488.24383
Verdict:
Malicious activity
Analysis date:
2022-11-07 10:12:11 UTC
Tags:
trojan formbook stealer loader
Link:
https://app.any.run/tasks/f69b5781-153d-4790-9a02-b2484dba6e92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329804/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.13488.24383.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/6368d9bbd998c15a09ab411c/reports/70447734-4788-4b5a-ac6f-007444936454/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c529006-a08a-4e13-8c08-237194e13b06
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107131
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 739795 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 9 SecuriteInfo.com.Win32.PWSX-gen.13488.24383.exe 1 18 2->9         started        process3 dnsIp4 45 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49696, 49698 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->45 47 ppq3oq.ph.files.1drv.com 9->47 49 2 other IPs or domains 9->49 29 C:\Users\Public\Libraries\Kvgyzqtt.exe, PE32 9->29 dropped 31 C:\Users\...\Kvgyzqtt.exe:Zone.Identifier, ASCII 9->31 dropped 63 Writes to foreign memory regions 9->63 65 Allocates memory in foreign processes 9->65 67 Creates a thread in another existing process (thread injection) 9->67 69 Injects a PE file into a foreign processes 9->69 14 wscript.exe 9->14         started        file5 signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 73 Tries to detect virtualization through RDTSC time measurements 14->73 17 explorer.exe 14->17 injected process9 process10 19 Kvgyzqtt.exe 15 17->19         started        23 Kvgyzqtt.exe 15 17->23         started        dnsIp11 33 192.168.2.1 unknown unknown 19->33 35 ppq3oq.ph.files.1drv.com 19->35 41 2 other IPs or domains 19->41 59 Multi AV Scanner detection for dropped file 19->59 61 Machine Learning detection for dropped file 19->61 25 wscript.exe 19->25         started        37 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49703, 49705 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->37 39 ppq3oq.ph.files.1drv.com 23->39 43 3 other IPs or domains 23->43 27 wscript.exe 23->27         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 10:11:16 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xajn2mfhhnryxfqk6xxsdyxd3t4ao4ulhani64kvhyfdfurqpoja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
remcos
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:kmge persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221107-l8g9bsdfap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Gathering data
Unpacked files
SH256 hash:
3f17ebba5a2529b8794c6e86f2b124eacc332692ccdb8acfc6ebf8829c5889e7
MD5 hash:
990016aba0656d25f84a329e5a48c50b
SHA1 hash:
f13ea53aaa58d65bd696da99836dd5473f290536
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/549ca377-6fb2-48fc-9a24-c499f2d4a3d8/
Parent samples :
de8962c07eba5fdd819df024cf7a88ccbec0084913e782182dc0392338f0243e
a35981f164ad40d52d9c1f665d0cd9506abcefec984fd00ec21a7a83aeb25024
483919bfc0da6d92481d70ca620e1ee0aebb3d81931d88a894ac32328e8808e8
cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8
25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76
3a61c9b0b4096cef95698ca41594941955d36e857c7b42f8d84962272f850115
4cf4313d499e9400a60a0961344e6df29acc85e6d62e18c118bef1493f801e53
f36b68e818ef0e90919221028f143fe314f463f418f550c707e1ca5fc632ad9c
f90adf7f130b1deacd0b940e101f471efeb9c670e848cd2a7e77152db0455298
580f58b0bcc5fdd1b9e1237ec9d6a58b3de0f532d92b0ef49314bcc05442272a
0d5a138754a0bcb2bf5557f158c342e8f7e32a509a3d93775e5aeb59d5d4e0d0
6d22199bcb9c6a15a14e129c4c30ad4aa19148a9b1aac32531d1dfa19a40f671
2bfbbbf3105253503802f18a048d3b36954efeb97ecb9ab9556dffa98bfb832a
e9ca640bda7dd97f7d0c9d1b810a7704144cfba14ec0271ead9e8dd6636c89d0
3f2a62eed0aff1007bac6177aed82a1722bb6b63b1d49fa87153199cd8e8d5f1
b5b7bca8e148356c32d008301fc0209f003ac123c0d752e685f87a66e81ac64b
b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92
da7ce792ea58fe4b0920be78435d44fef2ef1025cfac8abb0b43a9878d26c6c3
97672b7a0e6ab5bdc206aecdc117fd9ec7529db666f9c30764fa0d4e31fa48bb
3f5d2ca933f5c7cea6f55f14ebfd7d9f703ef2d9ba54ed8212aeda2d893c875b
e56fd483ef8e5da7ce843288c45d4af517bf868c18ddeba08da40814b8b0a60e
754025dc4effece12c7c7b3041d2f22050b442251ef1f25dc425f685a277e0e6
1d160af25e96ec1d33d50216a3eafdc16a1df90a6c62929e25f626dae138015b
f6ddc63173d134db79db880c7f5b338987f31ddd36cfcb27cf15e3bb08a507bb
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
63419dd22896ba6ddb1710fd35ae0b64506c8a80c62b59ba33979d375737c2ca
22655d19fee46d3578c4425d75f5633cb06b353b7383a300962d46289b6ba24d
7a9c39d98ace102b6fa94aafaa6bd652b17b247da09bee12e84fca6302b08e19
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
0aa8a9d5f174dc2d70924c909f6f1f1336152de536a729931a1acfa2500fb2f5
SH256 hash:
b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92
MD5 hash:
8945b0881e6509f485f7a0a2561bc1e3
SHA1 hash:
2119de3dd810ab6edb5fd99cccfc85afeee38c3d
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/549ca377-6fb2-48fc-9a24-c499f2d4a3d8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b812dd30a73b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b812dd30a73b638b960af5ef21e2e3dcf807728b381a8f71553e0a32d2307b92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/329804/

Comments