MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894
SHA3-384 hash: 2e73b08bbcc838ac84a4bab55f976c9170cbacea999f202185ef7970987249c8f7598ac54745cb2d837f378fcceb0f4f
SHA1 hash: 3d516fb7a7dfe835a47dac0935aa25a29a3cb747
MD5 hash: a47a6bcacab11be59183b1fbc94034a1
humanhash: west-magazine-delaware-black
File name:SIPARIŞ NO. 1691,pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:715'264 bytes
First seen:2023-07-18 13:08:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e10928b8d989366a4bb46fb419f8422 (2 x ModiLoader)
ssdeep 12288:hhlRos7bQ9K8xBX9d7JD66ibw2zUoR+g2jm4QOU84RC7AQ2:hfbb2Bb7VRibwlg2jm4QOqo8Q
Threatray 464 similar samples on MalwareBazaar
TLSH T15BE49D36B2AD573AC0F226FFD84FB269D81DBE701E1894458BCD3A2D2A751413C1A16F
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 81b4f0c4c4c2c400 (5 x ModiLoader)
Reporter abuse_ch
Tags:exe geo ModiLoader TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SIPARIŞ NO. 1691,pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-18 13:24:20 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/4a2863cd-30c8-4af8-84b1-63db52982574

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423563/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47ec8dd8-096a-4522-b37f-8b999d091db6
Result
Threat name:
DBatLoader, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275223
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found C&C like URL pattern
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses process hollowing technique
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275223 Sample: SIPARI#U015e_NO._1691,pdf.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 9 other signatures 2->85 10 SIPARI#U015e_NO._1691,pdf.exe 1 7 2->10         started        15 Ltxikxud.bat 2->15         started        17 Ltxikxud.bat 2->17         started        process3 dnsIp4 63 web.fe.1drv.com 10->63 71 3 other IPs or domains 10->71 55 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->55 dropped 57 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->57 dropped 59 C:\Users\Public\Libraries\Ltxikxud.bat, PE32 10->59 dropped 99 Sample uses process hollowing technique 10->99 101 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 10->101 103 Writes or reads registry keys via WMI 10->103 19 cmd.exe 3 10->19         started        22 SIPARI#U015e_NO._1691,pdf.exe 1 38 10->22         started        65 web.fe.1drv.com 15->65 73 3 other IPs or domains 15->73 105 Multi AV Scanner detection for dropped file 15->105 107 Machine Learning detection for dropped file 15->107 109 Injects a PE file into a foreign processes 15->109 25 Ltxikxud.bat 15->25         started        67 192.168.2.1 unknown unknown 17->67 69 web.fe.1drv.com 17->69 75 3 other IPs or domains 17->75 27 Ltxikxud.bat 17->27         started        file5 signatures6 process7 dnsIp8 87 Uses ping.exe to sleep 19->87 89 Drops executables to the windows directory (C:\Windows) and starts them 19->89 91 Uses ping.exe to check the status of other devices and networks 19->91 29 easinvoker.exe 19->29         started        31 PING.EXE 1 19->31         started        34 xcopy.exe 2 19->34         started        39 6 other processes 19->39 61 jimbo.ydns.eu 2.59.255.67, 49723, 49726, 49727 CMCSUS Germany 22->61 37 WmiPrvSE.exe 22->37         started        93 Tries to harvest and steal browser information (history, passwords, etc) 27->93 signatures9 process10 dnsIp11 41 cmd.exe 1 29->41         started        77 127.0.0.1 unknown unknown 31->77 51 C:\Windows \System32\easinvoker.exe, PE32+ 34->51 dropped 53 C:\Windows \System32\netutils.dll, PE32+ 39->53 dropped file12 process13 signatures14 95 Suspicious powershell command line found 41->95 97 Adds a directory exclusion to Windows Defender 41->97 44 powershell.exe 21 41->44         started        47 conhost.exe 41->47         started        process15 signatures16 111 DLL side loading technique detected 44->111 49 conhost.exe 44->49         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 13:09:11 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmqs7yg5c5zk6rrjiznxgnb5o42koc4wz5y7m5y2ymkohmbufcka._file
Verdict:
malicious
Similar samples:
1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1
ModiLoader
2ac28f2913c6e2d231d0b67b49a3491f4046221a42ca349f586e0532ac257575
ModiLoader
3c2660c8eb5e8c66e608962ddb6a5ec9e58c1f948e4b9bc54a998a79823a9937
ModiLoader
5069d4603ed9201d98988deb46e1e5627d622f47a498b3decb96ae1b02da3496
ModiLoader
74f3991c2f65f8bfa4e39a908f8d4d73d8b502fed1d9910a9ed66773c0674c99
ModiLoader
c1e64e86dd89a5820bbb518ead2176741f91d3bf5c579e154533d44e816c1f76
ModiLoader
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
ModiLoader
d4c465f27047a494b15d0cd45c9506d7e8acafb93d02b2acf601b7b36599d1af
ModiLoader
ea70b9979a341160863f08becfdeb80c64450b37521dbbd6341cd4b88248a65d
ModiLoader
+ 454 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230718-qdvcmabd2s/
Unpacked files
SH256 hash:
c05728efe62f2d8cf43fb6e7c024fc0d44951f45edebbf94636b7998d0a500a8
MD5 hash:
f318e1b30dbcb78c96d33aced6672849
SHA1 hash:
9302579df90229501897ca95c6da00a7420c2cd3
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/59c265ba-7d8e-4cdb-9144-f3d2d5f7c29d/
SH256 hash:
0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894
MD5 hash:
a47a6bcacab11be59183b1fbc94034a1
SHA1 hash:
3d516fb7a7dfe835a47dac0935aa25a29a3cb747
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/59c265ba-7d8e-4cdb-9144-f3d2d5f7c29d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b212fe0dd17/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/423563/

Comments