MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4
SHA3-384 hash: 1a489bc0dbae01ddc68e8c39aa5626cb1f1d42415b24f6dc7da0651eb504417ad03b9b0daba2a950575756edeacba728
SHA1 hash: 11326b4b732c5cdb0edf9541c70d2dea3411ad6f
MD5 hash: 578b2c56cabfa2d2a29bc7c0184a8e1d
humanhash: sixteen-high-charlie-mountain
File name:Modrinth_Installer.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:5'896'192 bytes
First seen:2024-07-26 19:24:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (76 x DCRat, 22 x njrat, 17 x SalatStealer)
ssdeep 98304:AxdENT+6HE4ThcGalSS9d+udj3mYcCqQcgT3XV8tEbETvsDHaLqV710ZZ9rPzrPH:v/HMlS2JxmYcmcg7XGqb6Msq51GPf
TLSH T1EC56EF233D878D39FA751F344DFA8321F968EC105E28C146EF82AC69DAFC5C819952D9
TrID 53.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
12.1% (.SCR) Windows screen saver (13097/50/3)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 71cc8a94d8cedc71 (1 x Formbook)
Reporter Chainskilabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Modrinth_Installer.exe
Verdict:
Malicious activity
Analysis date:
2024-07-26 18:39:59 UTC
Tags:
xworm evasion remote
Link:
https://app.any.run/tasks/e6ae1bc8-f5b2-4d8d-b538-c04fe948c2b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.njRAT-10002074-1
Create hunting rule

Win.Packed.Msilzilla-10002982-0
Create hunting rule

Win.Packed.Msilzilla-10019837-0
Create hunting rule

Win.Packed.Loveletter-10023052-0
Create hunting rule

Win.Packed.Loveletter-10024677-0
Create hunting rule

Win.Packed.Msilzilla-10024808-0
Create hunting rule

Win.Packed.Msilzilla-10026193-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.XWorm.UNOFFICIAL
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a3f7eafb0026d1138aa1d3
Tags:
Discovery Generic Network Static Stealth Trojan Delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm asyncrat backdoor borland_delphi expand fingerprint installer lolbin lolbin packed rat remote schtasks shell32
Link:
https://www.filescan.io/uploads/66a3f80f8f66298c01f3e75f/reports/d6563f6d-5605-4aa3-893b-a6b0e704ae5a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cb4d8f2-f26e-4c72-ac68-713a13438b5a
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1483227
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483227 Sample: Modrinth_Installer.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 72 58 she-vocal.gl.at.ply.gg 2->58 60 ip-api.com 2->60 62 3 other IPs or domains 2->62 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 10 other signatures 2->84 10 Modrinth_Installer.exe 8 3 2->10         started        14 msiexec.exe 114 44 2->14         started        16 notepad.exe 1 2->16         started        18 6 other processes 2->18 signatures3 process4 file5 54 C:\Users\user\AppData\Local\...\Modrinth.exe, PE32 10->54 dropped 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->96 20 Modrinth.exe 15 5 10->20         started        25 msiexec.exe 7 10->25         started        56 C:\Program Files\...\Modrinth App.exe, PE32+ 14->56 dropped 27 msiexec.exe 1 14->27         started        signatures6 process7 dnsIp8 64 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 20->64 66 she-vocal.gl.at.ply.gg 147.185.221.21, 36704, 49731, 49815 SALSGIVERUS United States 20->66 48 C:\Users\user\AppData\Roaming\notepad.exe, PE32 20->48 dropped 88 Antivirus detection for dropped file 20->88 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->90 92 Protects its processes via BreakOnTermination flag 20->92 94 3 other signatures 20->94 29 schtasks.exe 1 20->29         started        50 C:\Users\user\AppData\Local\...\MSI4265.tmp, PE32 25->50 dropped 52 C:\Users\user\AppData\Local\...\MSI10A6.tmp, PE32 25->52 dropped 31 Modrinth App.exe 27->31         started        file9 signatures10 process11 dnsIp12 34 conhost.exe 29->34         started        74 cdn-raw.modrinth.com 104.18.22.35, 443, 49743, 49747 CLOUDFLARENETUS United States 31->74 76 api.modrinth.com 104.18.23.35, 443, 49748, 49753 CLOUDFLARENETUS United States 31->76 36 msedgewebview2.exe 31->36         started        process13 signatures14 86 Found strings related to Crypto-Mining 36->86 39 msedgewebview2.exe 36->39         started        42 msedgewebview2.exe 36->42         started        44 msedgewebview2.exe 36->44         started        46 3 other processes 36->46 process15 dnsIp16 68 204.79.197.239, 443, 49799 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 39->68 70 130.211.34.183, 443, 49787 GOOGLEUS United States 39->70 72 3 other IPs or domains 39->72
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2024-07-26 19:25:15 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z55esjp5why23ua5aolvduli5t47zfmo7y5ze3aukzwsa7pew22a._file
Verdict:
malicious
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery persistence rat trojan
Link:
https://tria.ge/reports/240726-x4xzrssgkg/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Blocklisted process makes network request
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
she-vocal.gl.at.ply.gg:36704
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a6e18815-ff6c-4929-b84e-f98c75e9f902
Unpacked files
SH256 hash:
7389aaa07392f6533dc7a4b1f0377ab9b694bb5c08a45f7b871062e7f9f0bdff
MD5 hash:
6f56f305614cbad9e5737acbee0f8894
SHA1 hash:
8feb8eb68fd2a0b8b502032073277961ec5d9ab9
Link:
https://www.unpac.me/results/609e59ff-2dc7-474c-9ffa-56f055f3cefa/
SH256 hash:
be92a0f2c2482465b187ff5b95dcbfd01a7d1ae29884aff4b0a33e6952b50e09
MD5 hash:
7ce3e0d6bcd604892b10f098c5d47ed3
SHA1 hash:
47768e71c46808aaaa0f2ae7f71057d23da3eb28
Link:
https://www.unpac.me/results/609e59ff-2dc7-474c-9ffa-56f055f3cefa/
SH256 hash:
f9a00b54dee51fb3b86bbfb3236a5a53c12a3ceb5ff37063a4013606e485c31c
MD5 hash:
9c91d4e56002b6395d6cdad016ab65fb
SHA1 hash:
97af80cdd148e85fe50cf934ed6a224e12fb8122
Link:
https://www.unpac.me/results/609e59ff-2dc7-474c-9ffa-56f055f3cefa/
SH256 hash:
cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4
MD5 hash:
578b2c56cabfa2d2a29bc7c0184a8e1d
SHA1 hash:
11326b4b732c5cdb0edf9541c70d2dea3411ad6f
Link:
https://www.unpac.me/results/609e59ff-2dc7-474c-9ffa-56f055f3cefa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ByteCode_MSIL_Backdoor_AsyncRAT
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects AsyncRAT backdoor.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_XWorm
Create hunting rule
Author:ditekSHen
Description:Detects XWorm
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments