MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415
SHA3-384 hash: 787fb6011f1064dfcb2c6fddf32d65431cd5f146ff7296136fc3706dd43e80ae1b8f1684fb8d4b9e5de7d3b97500c526
SHA1 hash: 161bf22fae724e741642bde5b73c458c45a2b0de
MD5 hash: 45e2bbc7c5df2378a2bd2217d6afddf2
humanhash: pluto-mango-illinois-avocado
File name:Piraeus Bank_swift_.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:2'254'960 bytes
First seen:2020-11-25 14:11:03 UTC
Last seen:2020-11-25 15:57:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 191f8035b5c11d5de8fd20cfdada0df2 (6 x ModiLoader)
ssdeep 49152:LR/ovVcOM1pJTYBzQ0DZVhlZfyiSCyiSV/CznFw9:LRmi/YBzZDZVLpi
Threatray 3'029 similar samples on MalwareBazaar
TLSH 70A5D023B1E3E03DC3B99AF99F7A66C81F6CFD513164684E71F47818C936940A8D325A
Reporter Racco42
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105644/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547013
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322613 Sample: Piraeus Bank_swift_.exe Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 41 www.stepgentertainment.com 2->41 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Sigma detected: Steal Google chrome login data 2->55 57 4 other signatures 2->57 11 Piraeus Bank_swift_.exe 2->11         started        signatures3 process4 dnsIp5 47 discord.com 162.159.128.233, 443, 49740 CLOUDFLARENETUS United States 11->47 49 cdn.discordapp.com 162.159.129.233, 443, 49741 CLOUDFLARENETUS United States 11->49 67 Writes to foreign memory regions 11->67 69 Allocates memory in foreign processes 11->69 71 Creates a thread in another existing process (thread injection) 11->71 73 Injects a PE file into a foreign processes 11->73 15 ieinstal.exe 11->15         started        signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Maps a DLL or memory area into another process 15->79 81 Sample uses process hollowing technique 15->81 83 Queues an APC in another process (thread injection) 15->83 18 explorer.exe 3 15->18 injected process9 dnsIp10 43 www.ajikrentcarsurabaya.com 18->43 45 www.stepgentertainment.com 18->45 21 msiexec.exe 1 18 18->21         started        25 ieinstal.exe 18->25         started        27 ieinstal.exe 18->27         started        process11 file12 35 C:\Users\user\AppData\...\50Mlogrv.ini, data 21->35 dropped 37 C:\Users\user\AppData\...\50Mlogri.ini, data 21->37 dropped 59 Detected FormBook malware 21->59 61 Tries to steal Mail credentials (via file access) 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 65 3 other signatures 21->65 29 cmd.exe 2 21->29         started        signatures13 process14 file15 39 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->39 dropped 75 Tries to harvest and steal browser information (history, passwords, etc) 29->75 33 conhost.exe 29->33         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 09:28:49 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2veepr4ddwjkafggapyajv2yfdnhf3mptutqugacg4dpdozxkqkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
ModiLoader
159676d64d4a593ffa25f69875f6dc59f05f75f3b135825b5ebda6c67adc475e
ModiLoader
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
ModiLoader
48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000
ModiLoader
61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
ModiLoader
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
ModiLoader
a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044
ModiLoader
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
ModiLoader
da63e8bb36574c655d7d306574afbc4a67396b12cf8553b1149e0ac8560dc313
ModiLoader
e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
ModiLoader
+ 3'019 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201125-1g2c8jfqvx/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
ModiLoader First Stage
Formbook
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.joomlas123.info/3nop/
Unpacked files
SH256 hash:
d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415
MD5 hash:
45e2bbc7c5df2378a2bd2217d6afddf2
SHA1 hash:
161bf22fae724e741642bde5b73c458c45a2b0de
Link:
https://www.unpac.me/results/ece975eb-7b8c-4762-9446-5c8efabbd4aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105644/

Comments