MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1798c288b296009d8049ca5364b29b079d59fadc870af65e92fe5fa23bdcec5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1798c288b296009d8049ca5364b29b079d59fadc870af65e92fe5fa23bdcec5
SHA3-384 hash: 4530ecf6a12240ef5c82a66efa85c8bdc0230666e883911a0c13def74e84b4d631a0c7c8c34f90a45b838101e1f342e1
SHA1 hash: 61dfb557d2e792229060bdeb21285f65daf48492
MD5 hash: eb8c68c29d6131d6b903dd268d6ff0ef
humanhash: sink-alabama-vermont-four
File name:Copie a bonului de plata.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:750'592 bytes
First seen:2022-11-29 11:46:26 UTC
Last seen:2022-11-29 13:28:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a047051636dce23e36a7dceaf1507c0 (3 x ModiLoader)
ssdeep 12288:i1qMhtVLzLypCggIh36+O9dvjpQVeri4O2qKk/RqIkr:WFhHzmQgn6+8T/r7JaqI
TLSH T148F47D6771E04633D0262535DC5BA7A8692FBEE02F14B8562BE03DDC1F783CA742916B
TrID 44.6% (.EXE) InstallShield setup (43053/19/16)
14.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
13.5% (.SCR) Windows screen saver (13097/50/3)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2b29270727091921 (3 x ModiLoader)
Reporter pr0xylife
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
IE IE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Copie a bonului de plata.exe
Verdict:
Malicious activity
Analysis date:
2022-11-29 11:47:12 UTC
Tags:
installer trojan formbook xloader stealer
Link:
https://app.any.run/tasks/dc9d8d74-59be-4e28-925f-45098fd8c79f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339727/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.5201.5191.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.Trojan-gen.31819.28757.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/6385f137559d07a06f485256/reports/f2481016-a4fa-446c-afcf-eaea3e37aaae/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cce5f8f-bf3d-426a-bf25-17f1302157b2
Result
Threat name:
FormBook, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1123262
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755986 Sample: Copie a bonului de plata.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 7 other signatures 2->64 10 Copie a bonului de plata.exe 1 18 2->10         started        process3 dnsIp4 52 ppq0oq.ph.files.1drv.com 10->52 54 ph-files.fe.1drv.com 10->54 56 onedrive.live.com 10->56 44 C:\Users\Public\Libraries44dvmyrkf.exe, PE32 10->44 dropped 46 C:\Users\...46dvmyrkf.exe:Zone.Identifier, ASCII 10->46 dropped 86 Writes to foreign memory regions 10->86 88 Allocates memory in foreign processes 10->88 90 Creates a thread in another existing process (thread injection) 10->90 92 Injects a PE file into a foreign processes 10->92 15 colorcpl.exe 2 10->15         started        file5 signatures6 process7 signatures8 104 Modifies the context of a thread in another process (thread injection) 15->104 106 Maps a DLL or memory area into another process 15->106 108 Sample uses process hollowing technique 15->108 110 2 other signatures 15->110 18 explorer.exe 15->18 injected process9 dnsIp10 48 www.stillwatersagawork.com 212.32.237.90, 49724, 49725, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 18->48 50 www.jam-nins.com 5.183.8.25, 49721, 49722, 80 INTERXSCH Germany 18->50 66 System process connects to network (likely due to code injection or exploit) 18->66 22 Ndvmyrkf.exe 18->22         started        25 raserver.exe 18 18->25         started        28 msdt.exe 18->28         started        signatures11 process12 file13 68 Antivirus detection for dropped file 22->68 70 Multi AV Scanner detection for dropped file 22->70 72 Machine Learning detection for dropped file 22->72 82 4 other signatures 22->82 30 wscript.exe 22->30         started        40 C:\Users\user\AppData\...\9N3logrv.ini, data 25->40 dropped 42 C:\Users\user\AppData\...\9N3logri.ini, data 25->42 dropped 74 Detected FormBook malware 25->74 76 Tries to steal Mail credentials (via file / registry access) 25->76 78 Tries to harvest and steal browser information (history, passwords, etc) 25->78 84 2 other signatures 25->84 33 cmd.exe 25->33         started        80 Tries to detect virtualization through RDTSC time measurements 28->80 signatures14 process15 file16 94 Modifies the context of a thread in another process (thread injection) 30->94 96 Maps a DLL or memory area into another process 30->96 98 Sample uses process hollowing technique 30->98 100 Tries to detect virtualization through RDTSC time measurements 30->100 38 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->38 dropped 102 Tries to harvest and steal browser information (history, passwords, etc) 33->102 36 conhost.exe 33->36         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1798c288b296009d8049ca5364b29b079d59fadc870af65e92fe5fa23bdcec5/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 08:48:40 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f4yykelffqatwaetsstmszjwb45lh5nzbyk6zpjf7s7ui55z3cq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:3nop persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221129-nxvrdshh8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
7d8bba1b43cb7bb135ce920712c1b010d45f8e518348166dac552c1acac5b254
MD5 hash:
b82aa6e8ab6258f78df20b6e3eb8ced6
SHA1 hash:
4d0cb48e30a9defdcb84075e2cf0e46b8f137cf5
Link:
https://www.unpac.me/results/7c20f5e6-0384-4549-92c8-faae1d1e44ca/
SH256 hash:
d1798c288b296009d8049ca5364b29b079d59fadc870af65e92fe5fa23bdcec5
MD5 hash:
eb8c68c29d6131d6b903dd268d6ff0ef
SHA1 hash:
61dfb557d2e792229060bdeb21285f65daf48492
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/7c20f5e6-0384-4549-92c8-faae1d1e44ca/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1798c288b29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1798c288b296009d8049ca5364b29b079d59fadc870af65e92fe5fa23bdcec5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339727/

Comments