MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3
SHA3-384 hash:	1e65610431fccc251c13f14da63217fd3467cb9e9b31e43a4409e07173293350cb225dd9e346edd9a27188f10fdc7c3a
SHA1 hash:	62c07905f0aaa23f398c943cd1000599bb311a8d
MD5 hash:	e23ca3ab7caf997d8361acea70517567
humanhash:	golf-freddie-oklahoma-crazy
File name:	sipariş PO_8791121-964-29 pdf.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	861'184 bytes
First seen:	2023-05-16 10:19:09 UTC
Last seen:	2023-05-17 19:37:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b994e2b35fac0eca9b95949a165480a1 (5 x ModiLoader, 2 x Formbook, 1 x RemcosRAT)
ssdeep	12288:IEaSIJxsS4ISFSs417nXbaGBazVb8N0K1Wqt:/F0mcSFS77LaG6VIEA
Threatray	2'899 similar samples on MalwareBazaar
TLSH	T1AD057C1AF2C2D933C1A3BB385D279710642C7F24182BF96736CA795CDA7BA423D05E52
TrID	75.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 12.3% (.EXE) InstallShield setup (43053/19/16) 4.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 3.7% (.SCR) Windows screen saver (13097/50/3) 1.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d4d4d4c4c4c4e4c8 (5 x ModiLoader, 3 x AveMariaRAT, 2 x Formbook)
Reporter	lowmal3
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

sipariş PO_8791121-964-29 pdf.exe

Verdict:

No threats detected

Analysis date:

2023-05-16 10:20:52 UTC

Tags:

installer

Link:

https://app.any.run/tasks/4d9b7ae6-9533-4dff-8070-9709e8d365de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/390365/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.23019.27145.UNOFFICIAL

SecuriteInfo.com.Win32.Evo-gen.31518.29447.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger overlay

Link:

https://www.filescan.io/uploads/646358d51865ea590a014979/reports/7fbf0e01-b608-4c5d-8348-c3e1dc99531b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c649abde-caef-41cd-8e74-17d5ab3a8b08

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1234729

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Uses Windows timers to delay execution

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3/

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2023-05-16 10:20:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c3n4itiuu5g67omyumbcbnkadk4ebykzb2evupwvwlfznngdupbq._file

Verdict:

malicious

Label(s):

formbook

ModiLoader

2413b677dc6d6a5c958ce9b8cfab7eab38151088dcbe5a1d3b0ea903a0fc5ef6

ModiLoader

4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574

ModiLoader

56462c46e025fb1ddfe7793825dbde4130e9db4052b271f21b60069efeba96f6

ModiLoader

c4ab14d93e54b2c6e70fa0f284cee729b56186894dfdff4207cbc3d0c690c80f

ModiLoader

c6b45b5143c6a8aefe0c044db55553615eae339eeb70280146235369ebd4f49b

ModiLoader

d1798c288b296009d8049ca5364b29b079d59fadc870af65e92fe5fa23bdcec5

ModiLoader

d65074de0434f87442490fd9b1dead7f0feff44e1b49ee74ac9636f67c3d66d2

ModiLoader

e57304555042d5835094d3ee4cdbcfc713e089f1af6b6764c76673a43c34c971

ModiLoader

+ 2'889 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230516-mc4m5aah5z/

Behaviour

Program crash

Unpacked files

SH256 hash:

16dbc44d14a74defb998a30220b5401ab840e1590e895a3ed5b2cb96b4c3a3c3

MD5 hash:

e23ca3ab7caf997d8361acea70517567

SHA1 hash:

62c07905f0aaa23f398c943cd1000599bb311a8d

Detections:

DbatLoaderStage1

win_dbatloader_g1

Link:

https://www.unpac.me/results/0b0d200b-f043-4b17-beab-73648be5aaf9/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/16dbc44d14a7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/390365/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample