MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872
SHA3-384 hash: d9ad25943f420eca69739d61f676b9e31fd0cdf889aeda665be8654864930fff3ffb143a715cedfc1689c46801619418
SHA1 hash: 6b73010c672e3d933149944972e67759b4b6c903
MD5 hash: d0e4d2c9c280b02c6b11254f52f3bb36
humanhash: eighteen-avocado-mirror-green
File name:df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872
Download: download sample
Signature ModiLoader
Create hunting rule
File size:903'168 bytes
First seen:2023-05-14 09:28:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b6943cba45637acffdb0f9d0b74387c (1 x AveMariaRAT, 1 x ModiLoader)
ssdeep 12288:zBTU8A8RppNfqVu3TZLt78lFC927150Pbkttml5OHN6dPph:zJ8+fNfVTZOlFbsKImHQdR
Threatray 3'332 similar samples on MalwareBazaar
TLSH T16A15CF21A1E2D037E2B317389E160395E81D3EA02E1C679FEEDBBD4D2B795653538207
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74e0d4c2d4c6c0d4 (6 x ModiLoader, 3 x Formbook, 1 x AveMariaRAT)
Reporter petikvx
Tags:ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872
Verdict:
Malicious activity
Analysis date:
2023-05-14 09:28:41 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/14c737e7-8b21-43d6-a812-39e699ca5f28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/389312/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66997675.32236.12233.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a file in the %temp% directory
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/84108/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/6460a9aeca26a28d5b9158d0/reports/3fb75515-9204-4e4e-af00-10045aff9b52/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06e869c2-527d-43a4-b5db-cb906d5d3d38
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232707
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 865686 Sample: 7qXiEEjxD4.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 84 www.oyadji.ch 2->84 116 Snort IDS alert for network traffic 2->116 118 Found malware configuration 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 8 other signatures 2->122 11 7qXiEEjxD4.exe 1 9 2->11         started        16 Anixczef.exe 2->16         started        signatures3 process4 dnsIp5 86 web.fe.1drv.com 11->86 88 onedrive.live.com 11->88 90 2 other IPs or domains 11->90 76 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->76 dropped 78 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->78 dropped 80 C:\Users\Public\Libraries\Anixczef.exe, PE32 11->80 dropped 82 C:\Users\...\Anixczef.exe:Zone.Identifier, ASCII 11->82 dropped 158 Writes to foreign memory regions 11->158 160 Allocates memory in foreign processes 11->160 162 Creates a thread in another existing process (thread injection) 11->162 18 logagent.exe 11->18         started        21 cmd.exe 3 11->21         started        23 conhost.exe 11->23         started        164 Multi AV Scanner detection for dropped file 16->164 166 Machine Learning detection for dropped file 16->166 168 Injects a PE file into a foreign processes 16->168 25 SndVol.exe 16->25         started        file6 signatures7 process8 signatures9 100 Modifies the context of a thread in another process (thread injection) 18->100 102 Maps a DLL or memory area into another process 18->102 104 Sample uses process hollowing technique 18->104 106 Queues an APC in another process (thread injection) 18->106 27 explorer.exe 1 18->27 injected 108 Uses ping.exe to sleep 21->108 110 Drops executables to the windows directory (C:\Windows) and starts them 21->110 112 Uses ping.exe to check the status of other devices and networks 21->112 31 easinvoker.exe 21->31         started        33 PING.EXE 1 21->33         started        35 xcopy.exe 2 21->35         started        38 6 other processes 21->38 114 Tries to detect virtualization through RDTSC time measurements 25->114 process10 dnsIp11 92 www.paradigmacenter.online 185.215.4.36, 49714, 49715, 80 TVHORADADAES Denmark 27->92 94 www.beginwithallah.com 188.114.96.7, 49712, 49713, 80 CLOUDFLARENETUS European Union 27->94 154 System process connects to network (likely due to code injection or exploit) 27->154 156 Uses netstat to query active network connections and open ports 27->156 40 wlanext.exe 27->40         started        44 Anixczef.exe 27->44         started        46 cmmon32.exe 27->46         started        48 NETSTAT.EXE 27->48         started        50 cmd.exe 1 31->50         started        96 127.0.0.1 unknown unknown 33->96 98 192.168.2.1 unknown unknown 33->98 66 C:\Windows \System32\easinvoker.exe, PE32+ 35->66 dropped 68 C:\Windows \System32\netutils.dll, PE32+ 38->68 dropped file12 signatures13 process14 file15 72 C:\Users\user\AppData\...72NAlogrv.ini, data 40->72 dropped 74 C:\Users\user\AppData\...74NAlogri.ini, data 40->74 dropped 132 Detected FormBook malware 40->132 134 Tries to steal Mail credentials (via file / registry access) 40->134 136 Tries to harvest and steal browser information (history, passwords, etc) 40->136 152 3 other signatures 40->152 52 cmd.exe 40->52         started        138 Writes to foreign memory regions 44->138 140 Allocates memory in foreign processes 44->140 142 Creates a thread in another existing process (thread injection) 44->142 144 Injects a PE file into a foreign processes 44->144 56 SndVol.exe 44->56         started        146 Tries to detect virtualization through RDTSC time measurements 46->146 148 Suspicious powershell command line found 50->148 150 Adds a directory exclusion to Windows Defender 50->150 58 powershell.exe 23 50->58         started        60 conhost.exe 50->60         started        signatures16 process17 file18 70 C:\Users\user\AppData\Local\Temp\DB1, SQLite 52->70 dropped 124 Tries to harvest and steal browser information (history, passwords, etc) 52->124 62 conhost.exe 52->62         started        126 Modifies the context of a thread in another process (thread injection) 56->126 128 Maps a DLL or memory area into another process 56->128 130 Sample uses process hollowing technique 56->130 64 conhost.exe 58->64         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 18:34:09 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=35fudegpx3uobspgxc3lak5cc65slv6zoezlvznui7ckaooslbza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2fb0a24e905687a5443fbe50d21033e4318da3275260bd82d016a9af346bb09b
ModiLoader
3cae9ed5242ed6d9db578abeaf2fc2065955b6425338b2868be9cb63dec6fba1
ModiLoader
6e712a8a989b15c1469d1aab013e1374c2aefe81c06ba82d81deb00ea597f5fc
ModiLoader
8c5606a7010f8a4d5701c1b99fd91af0d1b59bf9bbedb345ba09b449a70fc29f
ModiLoader
9eb2b7acb3ab10e79a731f59d8cb0674cdaeff303db290a18e86d808d0aeb6ca
ModiLoader
bcbc7292390399fb9dc2b818dcf83aee848ad78b05cb96b6c294f70b579f63b7
ModiLoader
cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f
ModiLoader
f2de7e1866310a43bf34f50a907b7ec8ff5c7b9ae4421c304e26aed008f30850
ModiLoader
f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e
ModiLoader
f8b1ba811be8ffc9b87d3f55b5c8c0a10b3d468f119eaf1d5c36d5664b940a84
ModiLoader
+ 3'322 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:na2c persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230514-lfebzabd83/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
aef506835ff5c236ba875e719d2a120afd2ef39eb482ee96b1c852656ca45fd6
MD5 hash:
5d722c9751c7f84575459d330a9e2ad9
SHA1 hash:
b72cddeb39d7b486b832ceb018b9418e5a7368b0
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/4f9d47ed-c1ed-4d77-a3a0-90a23a6e83dd/
Parent samples :
2a62b0901586adcfed9a57c10d5cdd13b53db183d52c9e3ab296df05d634b146
df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872
SH256 hash:
df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872
MD5 hash:
d0e4d2c9c280b02c6b11254f52f3bb36
SHA1 hash:
6b73010c672e3d933149944972e67759b4b6c903
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/4f9d47ed-c1ed-4d77-a3a0-90a23a6e83dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/df4b4190cfbee8e0c9e6b8b6b02ba217bb25d7d97132bae5b447c4a039d25872

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/389312/

Comments