MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7
SHA3-384 hash: 06dcf1df07c903fc18a7f5c478cbc17c13e2055413dab877881a022e4d1ccfbe7421ba441b0fca2a4626f21eb5960574
SHA1 hash: 04edcd948f8eee9d41b1fe31506271af72b20868
MD5 hash: d8fdc5279d7122d227ba5b4a0a79513c
humanhash: pip-green-bakerloo-chicken
File name:SecuriteInfo.com.Trojan.Siggen18.49748.28556.31887
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'181'696 bytes
First seen:2022-09-22 17:02:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91b6e4fb629eadc1f5cf52b04582e49d (2 x ModiLoader, 1 x Formbook)
ssdeep 24576:2V8t1SaLGaE27cMQimshpzuFtqMoXwbPfQ9W8AoqiVNW:2+tycyeMms
TLSH T1AC45AE67B380C837C62726306D1F62657725FF453D18AE9936E4FEBC2F3A6902425782
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 74f7e3db9fc5efca (4 x ModiLoader, 2 x Formbook)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen18.49748.28556.31887
Verdict:
Malicious activity
Analysis date:
2022-09-22 17:04:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e8636be-69ca-4451-bf1c-857bed277b4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312406/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.49748.28556.31887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38495/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook keylogger remcos
Link:
https://www.filescan.io/uploads/632c959e39767769653cfc0b/reports/448e88d4-464c-407d-b6c7-57f50e78161c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b473aa77-c845-4536-8610-5966ac901fa0
Result
Threat name:
DBatLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075471
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to inject threads in other processes
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DBatLoader
Yara detected RedLine Stealer
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708013 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 22/09/2022 Architecture: WINDOWS Score: 100 76 Malicious sample detected (through community Yara rule) 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 3 other signatures 2->82 10 SecuriteInfo.com.Trojan.Siggen18.49748.28556.31887.exe 1 26 2->10         started        15 Fnnwaxpj.exe 15 2->15         started        17 Fnnwaxpj.exe 2->17         started        process3 dnsIp4 60 onedrive.live.com 10->60 68 2 other IPs or domains 10->68 52 C:\Users\Public\Libraries\Fnnwaxpj.exe, PE32 10->52 dropped 54 C:\Users\...\Fnnwaxpj.exe:Zone.Identifier, ASCII 10->54 dropped 56 C:\Users\Public\Libraries\Fnnwaxpj, data 10->56 dropped 58 2 other files (none is malicious) 10->58 dropped 96 Injects a PE file into a foreign processes 10->96 19 cmd.exe 3 10->19         started        22 SecuriteInfo.com.Trojan.Siggen18.49748.28556.31887.exe 10->22         started        62 onedrive.live.com 15->62 70 2 other IPs or domains 15->70 98 Multi AV Scanner detection for dropped file 15->98 100 Contains functionality to inject threads in other processes 15->100 24 Fnnwaxpj.exe 2 15->24         started        64 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49711, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->64 66 onedrive.live.com 17->66 72 2 other IPs or domains 17->72 26 Fnnwaxpj.exe 17->26         started        file5 signatures6 process7 signatures8 84 Uses ping.exe to sleep 19->84 86 Drops executables to the windows directory (C:\Windows) and starts them 19->86 88 Uses ping.exe to check the status of other devices and networks 19->88 28 easinvoker.exe 19->28         started        30 PING.EXE 1 19->30         started        33 xcopy.exe 2 19->33         started        36 6 other processes 19->36 process9 dnsIp10 38 cmd.exe 1 28->38         started        74 127.0.0.1 unknown unknown 30->74 48 C:\Windows \System32\easinvoker.exe, PE32+ 33->48 dropped 50 C:\Windows \System32\netutils.dll, PE32+ 36->50 dropped file11 process12 signatures13 90 Suspicious powershell command line found 38->90 92 Adds a directory exclusion to Windows Defender 38->92 41 powershell.exe 21 38->41         started        44 conhost.exe 38->44         started        process14 signatures15 94 DLL side loading technique detected 41->94 46 conhost.exe 41->46         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-09-22 11:42:33 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
7 of 41 (17.07%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kwf6ybx6fgu2holbm2lkvois6i3knxkagulv6uikhzwlhabeplq._file
Verdict:
malicious
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/220922-vknwmsfgbn/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1c8966e7-0e3c-4501-a1fd-54c70a024b2f
Unpacked files
SH256 hash:
b44efc99aa637abb6b32fe45f0edfdc6e82f5626984d06c6c660690568ca7335
MD5 hash:
659102b565fb5ad1bd6f6cb31212bd86
SHA1 hash:
ec86a329feab1ba5c8e4aef14bad74db022ab5e0
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/36c45685-47ac-41e9-b6d1-7ff762b78fa3/
Parent samples :
faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7
6d68db4d0aa5bfc75ed6eb34a3680abb7ee99af0138419324e65749af1ba4b40
1f1b956451f7e90c7e306a4d0d762aa0d1f9b1b7c639ed8eda1a16dcdfa5b870
ac5e5935c877d48be14314d53a7154e370426a35168c82cb9ee83b7e98d02f28
f37aaec005b8c49d6376b138c96b2219b3060098ff5cd11d143a4983d2f9187b
SH256 hash:
86aa6feac5f3dd4d7ff7cd834baab2b95e01cf747a148fa3f5176355f7951165
MD5 hash:
fc869cd04d237461d43255e0c26e57c6
SHA1 hash:
1c393013c60cea2dde8f9884723963ba741ed649
Link:
https://www.unpac.me/results/36c45685-47ac-41e9-b6d1-7ff762b78fa3/
SH256 hash:
faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7
MD5 hash:
d8fdc5279d7122d227ba5b4a0a79513c
SHA1 hash:
04edcd948f8eee9d41b1fe31506271af72b20868
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/36c45685-47ac-41e9-b6d1-7ff762b78fa3/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/faac5f6037f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/faac5f6037f14d4d1dcb0b34b555c89791b536ea01a8bafa8851f3659c0123d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312406/

Comments