MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61
SHA3-384 hash: 99af0d9f23b9088ba5df4a3247c5a64605db238311a4ace5c39fc78e8d0db6b5a59dc8e933b9f13006421e5df98bca5b
SHA1 hash: 187a35c3e84d0b4afef32705987c840f6729e133
MD5 hash: 7b98554d2ad0041be3a00121d8fcf9c3
humanhash: table-table-mississippi-bravo
File name:7b98554d2ad0041be3a00121d8fcf9c3
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'161'216 bytes
First seen:2021-12-11 15:42:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 24576:q/7GYHe8GvrJ5D/xphVgq77x43BpWK5lRoLdOTuRWUK2:67GYHdGvrJhxphS3BMK5k
TLSH T18935BF02A3F94129F6F77F757EB462A54ABB7CA2BD38D68E1251009C0876B90D970733
File icon (PE):PE icon
dhash icon 6c646c92ec6c7978 (1 x ModiLoader)
Reporter zbetcheckin
Tags:32 exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7b98554d2ad0041be3a00121d8fcf9c3
Verdict:
Malicious activity
Analysis date:
2021-12-11 15:45:26 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/36f99eb5-015d-4146-bad7-0faab3bfdc67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/213327/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38030323.18253.11722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1643/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive packed
Link:
https://www.filescan.io/uploads/61b4c70947ed217c013acf2e/reports/be16b0c5-2a97-4351-9865-580ccd2b9123/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FormGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/423ba064-e362-42da-9209-f8fc3306d5d2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/905782
Signature
Creates processes via WMI
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Sigma detected: Execution Of Other File Type Than .exe
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 538256 Sample: OAtBXx4b98 Startdate: 11/12/2021 Architecture: WINDOWS Score: 84 56 Multi AV Scanner detection for submitted file 2->56 58 Sigma detected: Drops script at startup location 2->58 60 Machine Learning detection for sample 2->60 62 Sigma detected: Execution Of Other File Type Than .exe 2->62 9 OAtBXx4b98.exe 1 5 2->9         started        11 wscript.exe 2->11         started        14 WjVcWskkmD.exe.com 2->14         started        17 rundll32.exe 2->17         started        process3 dnsIp4 19 cmd.exe 1 9->19         started        22 expand.exe 1 9->22         started        76 Creates processes via WMI 11->76 54 ggHErbRaOxGi.ggHErbRaOxGi 14->54 signatures5 process6 signatures7 64 Obfuscated command line found 19->64 66 Uses ping.exe to sleep 19->66 68 Drops PE files with a suspicious file extension 19->68 70 Uses ping.exe to check the status of other devices and networks 19->70 24 cmd.exe 3 19->24         started        28 PING.EXE 1 19->28         started        31 conhost.exe 19->31         started        33 conhost.exe 22->33         started        process8 dnsIp9 44 C:\Users\user\AppData\...\Ritornata.exe.com, PE32 24->44 dropped 74 Obfuscated command line found 24->74 35 Ritornata.exe.com 24->35         started        38 findstr.exe 1 24->38         started        52 127.0.0.1 unknown unknown 28->52 file10 signatures11 process12 signatures13 72 Drops PE files with a suspicious file extension 35->72 40 Ritornata.exe.com 6 35->40         started        process14 dnsIp15 50 ggHErbRaOxGi.ggHErbRaOxGi 40->50 46 C:\Users\user\AppData\...\WjVcWskkmD.exe.com, PE32 40->46 dropped 48 C:\Users\user\AppData\...\WjVcWskkmD.url, MS 40->48 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-11 13:21:28 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader bootkit persistence trojan
Link:
https://tria.ge/reports/211211-s5xceabdg3/
Behaviour
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Drops startup file
Loads dropped DLL
Executes dropped EXE
ModiLoader First Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
d627588dbca2d9ff4520ebfee35a58f52a83ecfe76ed79554ecf90d1e9ecc2ba
MD5 hash:
e84d63b263b78a8c3726825cde7e7883
SHA1 hash:
82dda09746b5a10fac5593e105e5f3a71b8c5259
Link:
https://www.unpac.me/results/547cc12b-4d01-44f3-b2dc-9dd5a8e59d62/
SH256 hash:
f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61
MD5 hash:
7b98554d2ad0041be3a00121d8fcf9c3
SHA1 hash:
187a35c3e84d0b4afef32705987c840f6729e133
Link:
https://www.unpac.me/results/547cc12b-4d01-44f3-b2dc-9dd5a8e59d62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1875586/
Cape
Cape
https://www.capesandbox.com/analysis/213327/

Comments


Avatar
zbet commented on 2021-12-11 15:42:30 UTC

url : hxxp://5.255.103.37/myforum/uploads/323.exe