MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779
SHA3-384 hash: c89cf0c9767835c3c83f460a88f313981450c9ce60486f14ac52b98aa59b5c15bf61df460b1c1b84bd3f8e6a8f7c70f1
SHA1 hash: d2646f03108d4063899716427c5dac918b264a5a
MD5 hash: cd4a8d5b7b52bad98531415d46545391
humanhash: steak-ink-venus-timing
File name:RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'218'752 bytes
First seen:2020-11-25 20:50:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 191f8035b5c11d5de8fd20cfdada0df2 (6 x ModiLoader)
ssdeep 24576:3RVtvQ+csIDccuZGhe1ppCmfwybRw8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYnzQ0t
Threatray 3'045 similar samples on MalwareBazaar
TLSH 8A45BF23B1B28436C16175BDAE1B41ED6EB5FD617878750F37E0AD0C8E3AA817D29093
Reporter fabjer
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105683/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547586
Signature
Detected FormBook malware
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322898 Sample: RFQ For TRANS ANATOLIAN NAT... Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 6 other signatures 2->69 9 RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe 1 2 2->9         started        process3 dnsIp4 53 cdn.discordapp.com 162.159.130.233, 443, 49707, 49714 CLOUDFLARENETUS United States 9->53 55 discord.com 162.159.137.232, 443, 49706, 49713 CLOUDFLARENETUS United States 9->55 39 C:\Users\user\AppData\Local\...\Hmsmdrv.exe, PE32 9->39 dropped 89 Modifies the context of a thread in another process (thread injection) 9->89 91 Maps a DLL or memory area into another process 9->91 93 Sample uses process hollowing technique 9->93 95 Queues an APC in another process (thread injection) 9->95 14 explorer.exe 4 9->14 injected file5 signatures6 process7 dnsIp8 57 www.aist72.com 156.241.53.195, 49745, 49746, 49747 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 14->57 59 messianicentertainment.com 34.102.136.180, 49737, 49738, 49739 GOOGLEUS United States 14->59 61 6 other IPs or domains 14->61 99 System process connects to network (likely due to code injection or exploit) 14->99 18 svchost.exe 18 14->18         started        22 Hmsmdrv.exe 14->22         started        25 Hmsmdrv.exe 14->25         started        27 3 other processes 14->27 signatures9 process10 dnsIp11 35 C:\Users\user\AppData\...\-1Alogrv.ini, data 18->35 dropped 37 C:\Users\user\AppData\...\-1Alogri.ini, data 18->37 dropped 71 Detected FormBook malware 18->71 73 Tries to steal Mail credentials (via file access) 18->73 75 Tries to harvest and steal browser information (history, passwords, etc) 18->75 29 cmd.exe 2 18->29         started        43 discord.com 22->43 45 cdn.discordapp.com 22->45 77 Multi AV Scanner detection for dropped file 22->77 79 Machine Learning detection for dropped file 22->79 81 Modifies the context of a thread in another process (thread injection) 22->81 47 162.159.136.232, 443, 49720 CLOUDFLARENETUS United States 25->47 49 discord.com 25->49 51 cdn.discordapp.com 25->51 83 Maps a DLL or memory area into another process 25->83 85 Sample uses process hollowing technique 25->85 87 Tries to detect virtualization through RDTSC time measurements 27->87 file12 signatures13 process14 file15 41 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->41 dropped 97 Tries to harvest and steal browser information (history, passwords, etc) 29->97 33 conhost.exe 29->33         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 06:13:44 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2052bf41efb320074624cc63d0fb048e7ae57a3f7e365de65ea9cf6766449d98
ModiLoader
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
ModiLoader
4273b1d1ede5642d214be245fd041250539f7f34779737c37856f602491948f5
ModiLoader
5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a
ModiLoader
73a8ac37a0f0c6761800a276b77b0fd34d1cf43830f822ef18ff50dbda934751
ModiLoader
7bbb0115208c57bc42a9801afbdfeac6b417269c16739787c4f7a792bfa94c88
ModiLoader
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
ModiLoader
82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e
ModiLoader
c7d2763c845a08a22775c242be4368bbad967ae4d2f82be1042645d6a70320a5
ModiLoader
d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866
ModiLoader
+ 3'035 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201125-vqp73pbhwn/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
ModiLoader First Stage
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.hansonkx.xyz/mkv/
Unpacked files
SH256 hash:
bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779
MD5 hash:
cd4a8d5b7b52bad98531415d46545391
SHA1 hash:
d2646f03108d4063899716427c5dac918b264a5a
Link:
https://www.unpac.me/results/ab6b29c2-5f80-4777-9997-5437c7b275a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe ced287221f1034fec7a1280429189f9845664f0c554390a1a2e0e7b5b0f324bb

ModiLoader

Executable exe bdbc84c2fb75f0ed7b7e7c6ce24b02dba946003328b27cd17be926b83654f779

(this sample)

  
Dropped by
SHA256 ced287221f1034fec7a1280429189f9845664f0c554390a1a2e0e7b5b0f324bb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105683/

Comments