MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments

SHA256 hash: f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0
SHA3-384 hash: aa32a27de2b8f481bd90321f52ce8ee983e27cc2f82a97e7c2bfc586ae900dde497c89fac82ee3ee9581206763907f5e
SHA1 hash: bd739f8686a3a535b9d2faee8990c77f0de06884
MD5 hash: 557232ed6bcc3043cba02aedcbc96891
humanhash: twelve-hot-nitrogen-stairway
File name:f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0
Download: download sample
Signature ModiLoader
File size:1'009'664 bytes
First seen:2022-08-05 10:49:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 205f6434858f3f8cc9e8b96d094507a2 (8 x DBatLoader, 4 x ModiLoader, 3 x AveMariaRAT)
ssdeep 24576:5DA1mchKTwkH17WtMBhiUDxvHiMYStUtVSn52pAf2rDNtl2aCHX:5Dhc8ZPbVI5Sn52KN
Threatray 14'536 similar samples on MalwareBazaar
TLSH T17A259E31E6E24433D473277C8E1B466599397E103E78D88A3BEA2D4C2FFD68139252D6
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon c49af2e8ece0e6dc (8 x DBatLoader, 3 x ModiLoader, 2 x AveMariaRAT)
Reporter @adrian__luca
Tags:exe ModiLoader

Intelligence


File Origin
# of uploads :
1
# of downloads :
291
Origin country :
HU HU
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0
Verdict:
Malicious activity
Analysis date:
2022-08-05 10:48:53 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
–°reating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed remcos
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DBatLoader, FormBook
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679238 Sample: mWyPrcv7Pl Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected UAC Bypass using ComputerDefaults 2->52 54 3 other signatures 2->54 7 mWyPrcv7Pl.exe 1 18 2->7         started        12 Tdceco.exe 16 2->12         started        14 Tdceco.exe 16 2->14         started        process3 dnsIp4 34 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49737, 49755 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->34 36 p5lwwa.am.files.1drv.com 7->36 42 2 other IPs or domains 7->42 30 C:\Users\Public\Libraries\Tdceco.exe, PE32 7->30 dropped 32 C:\Users\...\Tdceco.exe:Zone.Identifier, ASCII 7->32 dropped 56 Writes to foreign memory regions 7->56 58 Allocates memory in foreign processes 7->58 60 Creates a thread in another existing process (thread injection) 7->60 16 logagent.exe 7->16         started        38 192.168.2.1 unknown unknown 12->38 40 p5lwwa.am.files.1drv.com 12->40 44 2 other IPs or domains 12->44 62 Multi AV Scanner detection for dropped file 12->62 18 logagent.exe 12->18         started        46 3 other IPs or domains 14->46 20 logagent.exe 14->20         started        22 logagent.exe 14->22         started        file5 signatures6 process7 process8 24 WerFault.exe 23 9 16->24         started        26 WerFault.exe 18->26         started        28 WerFault.exe 18->28         started       
Threat name:
Win32.Trojan.Remcos
Status:
Malicious
First seen:
2022-07-26 08:35:40 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Result
Malware family:
modiloader
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:t3c9 persistence rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
ab01f528e280f50c96ad22940f0548a2dfaf9ea0dcf04581d6b3c340163c6ceb
MD5 hash:
1c93800aabaa59428b8574e9f95f745f
SHA1 hash:
14751983d5263186bfc1b4acd15aaa91be6284c8
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
SH256 hash:
f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0
MD5 hash:
557232ed6bcc3043cba02aedcbc96891
SHA1 hash:
bd739f8686a3a535b9d2faee8990c77f0de06884

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments