MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e84c741db08b7ee5631703de25f8a9a6eb3aa5f3df56e1197960054174988394. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e84c741db08b7ee5631703de25f8a9a6eb3aa5f3df56e1197960054174988394
SHA3-384 hash: d83ab8ab0b541c18efc617033678e15d6ebb55aa4c378ad114199ca84e01e188ba19abf472df1630c795d393dc4146c2
SHA1 hash: 914ab01a0ba51b901ff639e75e86eb4b993cd199
MD5 hash: 3260b247f32839521194849f11d37c99
humanhash: july-lithium-winner-oranges
File name:ürün örnekleri pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:875'520 bytes
First seen:2022-10-06 11:00:51 UTC
Last seen:2022-10-07 09:17:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 10f4dc33f9aef7f7a8c0be4814b95fde (1 x ModiLoader)
ssdeep 12288:Hkcz1cfQZIGdTetgXN+j5kiGNtlvSsg8J/2p9Uy1/GGmnAPU4wuvYe+msnzu8xdd:HR6f4wtgXUVkp1KsgSaH1/GGmArzGzr
Threatray 19'496 similar samples on MalwareBazaar
TLSH T168159D61B7CC8837D8A216384C1FA76C6DDDBF12292C318B36EEAD4C4A35D50BE46971
TrID 28.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
25.9% (.SCR) Windows screen saver (13101/52/3)
20.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 14044d4c4e0e0614 (4 x Formbook, 3 x ModiLoader, 1 x RemcosRAT)
Reporter Anonymous
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ürün örnekleri pdf.exe
Verdict:
No threats detected
Analysis date:
2022-10-06 11:31:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80deb926-493e-4704-8e31-cbdc3a8a8bd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317253/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.22948.15371.18808.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41516/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/633eb57090cb824e9da030b3/reports/2fa2a511-81f7-4963-8d33-283139501334/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a596f714-5d2c-4773-bf85-81c0e5276856
Result
Threat name:
FormBook, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085201
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 717757 Sample: #U00fcr#U00fcn #U00f6rnekle... Startdate: 06/10/2022 Architecture: WINDOWS Score: 100 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 6 other signatures 2->90 10 #U00fcr#U00fcn #U00f6rnekleri pdf.exe 1 20 2->10         started        process3 dnsIp4 68 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49702, 49704 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->68 70 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49701, 49703 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 10->70 72 3 other IPs or domains 10->72 46 C:\Users\Public\Libraries\Hsstkvhr.exe, PE32 10->46 dropped 48 C:\Users\...\Hsstkvhr.exe:Zone.Identifier, ASCII 10->48 dropped 116 Writes to foreign memory regions 10->116 118 Allocates memory in foreign processes 10->118 120 Creates a thread in another existing process (thread injection) 10->120 122 Injects a PE file into a foreign processes 10->122 15 iexpress.exe 10->15         started        file5 signatures6 process7 signatures8 124 Modifies the context of a thread in another process (thread injection) 15->124 126 Maps a DLL or memory area into another process 15->126 128 Sample uses process hollowing technique 15->128 130 2 other signatures 15->130 18 explorer.exe 15->18 injected process9 dnsIp10 50 www.8772876.com 172.67.207.5, 49715, 49716, 49717 CLOUDFLARENETUS United States 18->50 52 www.litblacklit.com 18->52 54 parkingpage.namecheap.com 198.54.117.216, 49718, 49719, 49720 NAMECHEAP-NETUS United States 18->54 92 System process connects to network (likely due to code injection or exploit) 18->92 94 Uses ipconfig to lookup or modify the Windows network settings 18->94 22 Hsstkvhr.exe 14 18->22         started        26 wscript.exe 18->26         started        29 Hsstkvhr.exe 16 18->29         started        31 ipconfig.exe 18->31         started        signatures11 process12 dnsIp13 56 ph-files.fe.1drv.com 22->56 58 onedrive.live.com 22->58 64 3 other IPs or domains 22->64 96 Multi AV Scanner detection for dropped file 22->96 98 Writes to foreign memory regions 22->98 100 Allocates memory in foreign processes 22->100 33 colorcpl.exe 2 22->33         started        42 C:\Users\user\AppData\...\323logrv.ini, data 26->42 dropped 44 C:\Users\user\AppData\...\323logri.ini, data 26->44 dropped 102 Detected FormBook malware 26->102 104 Tries to steal Mail credentials (via file / registry access) 26->104 106 Tries to harvest and steal browser information (history, passwords, etc) 26->106 114 2 other signatures 26->114 36 cmd.exe 26->36         started        60 ph-files.fe.1drv.com 29->60 62 onedrive.live.com 29->62 66 2 other IPs or domains 29->66 108 Creates a thread in another existing process (thread injection) 29->108 110 Injects a PE file into a foreign processes 29->110 38 colorcpl.exe 29->38         started        112 Tries to detect virtualization through RDTSC time measurements 31->112 file14 signatures15 process16 signatures17 74 Modifies the context of a thread in another process (thread injection) 33->74 76 Maps a DLL or memory area into another process 33->76 78 Sample uses process hollowing technique 33->78 80 Tries to detect virtualization through RDTSC time measurements 33->80 82 Tries to harvest and steal browser information (history, passwords, etc) 36->82 40 conhost.exe 36->40         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e84c741db08b7ee5631703de25f8a9a6eb3aa5f3df56e1197960054174988394/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-10-06 11:01:02 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bghihnqrn7okyyxappcl6fju3vtvjpt35locglzmacuc5eyqoka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a874620c8336c25f8959fc05e5bc16b9b201fe2eb5849963028351f655469b4
ModiLoader
11ee62203523cda47eabd599dc02f50fe7fe0a3044d0a500a97bc3fafc332763
ModiLoader
3b6ebee77ad8b21b22a9841ba224dd5f23091f9c6d6989c17640f0c7d0a5a759
ModiLoader
3e48726d82d9e1f43739b669d15d4f08a829ac4b31b12a8e0e2f003dcb65ae11
ModiLoader
42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197
ModiLoader
5a4c660c435c40ac3ad3772f22ede545822146ef02bfdcc08921f06689cefdad
ModiLoader
7d41c471d4c5893ee0dd1c50cb44d7215e6b9cb5a693a587a0d33d894dea13d7
ModiLoader
b1fa69e98d91d174851b755a68c214073833e5ac20fdd64f45a61ff0c4a47ad8
ModiLoader
e8c2f0fc24e8cc88308a76edbd992b6be7e6036f728a22c5e8fffc1cc199a7c2
ModiLoader
f3d62d6af61a403a1d4093e6e0df539c443438c80e274d3335805daa5c5a4271
ModiLoader
+ 19'486 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221006-m4jr2ahdar/
Behaviour
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5109116d-ca1a-4ac4-a96c-b200e1550b00
Unpacked files
SH256 hash:
e84c741db08b7ee5631703de25f8a9a6eb3aa5f3df56e1197960054174988394
MD5 hash:
3260b247f32839521194849f11d37c99
SHA1 hash:
914ab01a0ba51b901ff639e75e86eb4b993cd199
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/4cbee7e6-c65c-4bdb-a572-5e8283866f4e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e84c741db08b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e84c741db08b7ee5631703de25f8a9a6eb3aa5f3df56e1197960054174988394

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317253/

Comments