MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
SHA3-384 hash: 359aab4aa18426c0acecc2a9c2443fd4b6e85cd641eaeae7d2e7a303de1638989b4ccfc28fe657083cd3b649a11e8f61
SHA1 hash: 2ff461c9043df60b42d1f62a946028c5d93bd50f
MD5 hash: 77f43296853c963258a23a891f9e9cb5
humanhash: oranges-fourteen-quebec-autumn
File name:PRIJENOS SWIFT jpg.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:902'656 bytes
First seen:2022-09-15 11:43:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bbd6f19009894fa1ab803b23f677f9e (3 x ModiLoader, 1 x RemcosRAT)
ssdeep 12288:xOoNkC1LR7d1g1Iasz4l4yDoCHjsG83q/rhf7fvQBRW:xbpRh1i+4ToT3q/lvkR
Threatray 2'270 similar samples on MalwareBazaar
TLSH T1CD159EF6B2F0CE33C12319BECE7A71845E6DBF911911744E67E43948DF78282282A657
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13101/52/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter TeamDreier
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PRIJENOS SWIFT jpg.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 08:11:18 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/2cf19217-ebf5-4af6-b728-c39cbf35772f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310223/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.41399.13008.13246.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Сreating synchronization primitives
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37696/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/6323106c35180ec88e2cb022/reports/dec7d829-30e3-4c3d-aef1-ea3d811b6432/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f6474d9-31a3-40d0-a44c-6d46c5f9153c
Result
Threat name:
FormBook, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070848
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 703391 Sample: PRIJENOS SWIFT jpg.exe Startdate: 15/09/2022 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->71 73 7 other signatures 2->73 10 PRIJENOS SWIFT jpg.exe 1 18 2->10         started        process3 dnsIp4 61 ph-files.fe.1drv.com 10->61 63 onedrive.live.com 10->63 65 55ymwg.ph.files.1drv.com 10->65 43 C:\Users\Public\Libraries\Hrwqkuxe.exe, PE32 10->43 dropped 45 C:\Users\Public\Libraries\Hrwqkuxe, data 10->45 dropped 85 Writes to foreign memory regions 10->85 87 Allocates memory in foreign processes 10->87 89 Creates a thread in another existing process (thread injection) 10->89 91 Injects a PE file into a foreign processes 10->91 15 iexpress.exe 10->15         started        file5 signatures6 process7 signatures8 95 Modifies the context of a thread in another process (thread injection) 15->95 97 Maps a DLL or memory area into another process 15->97 99 Sample uses process hollowing technique 15->99 101 2 other signatures 15->101 18 explorer.exe 15->18 injected process9 process10 20 control.exe 18 18->20         started        24 Hrwqkuxe.exe 14 18->24         started        27 Hrwqkuxe.exe 14 18->27         started        dnsIp11 39 C:\Users\user\AppData\...\KK4logrv.ini, data 20->39 dropped 41 C:\Users\user\AppData\...\KK4logri.ini, data 20->41 dropped 75 Detected FormBook malware 20->75 77 Tries to steal Mail credentials (via file / registry access) 20->77 79 Tries to harvest and steal browser information (history, passwords, etc) 20->79 83 2 other signatures 20->83 29 cmd.exe 20->29         started        49 ph-files.fe.1drv.com 24->49 51 onedrive.live.com 24->51 53 55ymwg.ph.files.1drv.com 24->53 81 Multi AV Scanner detection for dropped file 24->81 33 iexpress.exe 24->33         started        55 ph-files.fe.1drv.com 27->55 57 onedrive.live.com 27->57 59 55ymwg.ph.files.1drv.com 27->59 35 iexpress.exe 27->35         started        file12 signatures13 process14 file15 47 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->47 dropped 93 Tries to harvest and steal browser information (history, passwords, etc) 29->93 37 conhost.exe 29->37         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 09:49:19 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
26 of 40 (65.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=472p3mblt4huhrjsl2fq5kgoa7xhrrnkmpgpwgeswb43xusabb2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06d75de3031e1429046bb404d0127f91737fae6178bc43bc06f7428a65c85572
ModiLoader
2f4ac5b738edee6eba72fda547fcc09e92a80f62836f79cd171616b5c7219811
ModiLoader
35256002ef756a42079880ccdec95862e80830e69ebc56225f2b2a34ec28f771
ModiLoader
4bd0c1c5a6eb5e3bb2e84db799270248f5467dfb3e6e3b1d8db14887eeecae5e
ModiLoader
4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353
ModiLoader
91b614fe4c7a4fa0161cc691a8397743dfece369304fa73942a3c544992b107a
ModiLoader
94b27063b9625806f22b815cba850fa7908f481ae3e8b11c64832a3dd1e97f1a
ModiLoader
9bccba2dd88df736c04d6d657879abe5b3bee28103aecedbba19b91b684d43af
ModiLoader
d080a745b7938d247a21fe80650dd1e392eb37326882536a111a16acb6b49082
ModiLoader
d16b5b8db05a9ea05420e30d325663b8eddefc11eb081b8c9786b6f2997b16e2
ModiLoader
+ 2'260 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:kmge persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220915-nv6e4schf4/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/035c383a-0dab-4f31-90f2-f8e70c1ce33c
Unpacked files
SH256 hash:
002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc
MD5 hash:
eb295d7d7804e778f9f5ae4783379ccc
SHA1 hash:
d1b9df6113a548dd362fc0cb611c78eef2124f73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/5b141ee2-53f1-4ee4-a2b7-63342108dd86/
Parent samples :
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SH256 hash:
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
MD5 hash:
77f43296853c963258a23a891f9e9cb5
SHA1 hash:
2ff461c9043df60b42d1f62a946028c5d93bd50f
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/5b141ee2-53f1-4ee4-a2b7-63342108dd86/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7f4fdb02b9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/310223/

Comments