MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1
SHA3-384 hash:	13eb535b1c3147d9d61b84f09791be161a9d3fc846be2e5447ab88db012d22ecd058bef5cdb349eb7aad31d81615a377
SHA1 hash:	adea4f4e4c405451716cd5432cc7d2e667d3055f
MD5 hash:	283a50a3487a6d99a24e96d7c2e9378e
humanhash:	oxygen-tennessee-princess-hot
File name:	283a50a3487a6d99a24e96d7c2e9378e.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	722'944 bytes
First seen:	2023-06-22 06:12:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	02d762f1aaf16e6c8e03fe60f0c9d48e (2 x ModiLoader, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep	12288:mTlUbdpW5/5o8FF2FENOeqBWJz4RC7AStkCizoHm8gn7hQEL:mTqC/5otAqYOo8StkCizoH9gnGE
Threatray	16 similar samples on MalwareBazaar
TLSH	T138F4AF63B1B04077C2B32D798B46A7E9781D7D242D2439559AF43E88BF39242B8253DF
TrID	84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.2% (.SCR) Windows screen saver (13097/50/3) 2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	808fb3f4d6d6d3af (3 x RemcosRAT, 2 x Formbook, 2 x DBatLoader)
Reporter	abuse_ch
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

Vendor Threat Intelligence

Malware family:

remcos

ID:

File name:

https://careerbeam.in/doc/PurchaseOrderRequestPO7367346document_file.7z

Verdict:

Malicious activity

Analysis date:

2023-06-21 03:56:08 UTC

Tags:

remcos

Link:

https://app.any.run/tasks/8805d427-caa8-416d-add6-c4eab2d49fb9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/401556/

Detection(s):

SecuriteInfo.com.Variant.Zusy.470739.26972.8721.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger lolbin

Link:

https://www.filescan.io/uploads/6493e6708d2002f9452b26d2/reports/83134405-9a1a-4fd7-beae-80c5568866b5/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/91a76f41-d6ee-46da-a851-1d8380d1f3ea

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1259437

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-06-21 03:45:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c67f5oyf2xwnus4iozyxoqr3cgmoymugtvmperfjuy7x2ijt6dyq._file

Verdict:

malicious

ModiLoader

323dc9de135c89b75b7a42b2c5a6327e09acafe52c035464316e170f3f55b6ac

ModiLoader

36b01f2918bc713fb4a312e98ff091a0f36d227b4c3e51a77ccce6b554d45287

ModiLoader

5069d4603ed9201d98988deb46e1e5627d622f47a498b3decb96ae1b02da3496

ModiLoader

5c6873fd1aa1695b372614ca9f9d67bd1150f45da9d8781a4fadcb9f381a2d82

ModiLoader

7cfdbb46f90befe58e3f7487c9a807328f69c223fa0fc240ce292bb7d85ef099

ModiLoader

c6b9351ebdc6c29c327f1c49af903664b8df0ebd221da40c02bfc6aba6a07663

ModiLoader

f89aacb2c1c9d60e078ba59e7a1eab4ff05c8bf94fea2611735b94dacb7a8c9b

ModiLoader

+ 6 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/230622-gyq19seb3y/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

d9d75897f3e27e941c6e90a6142c1c44c3a6251ddb73a6e1059a77af6eb7d02b

MD5 hash:

7df1198d0578f28bd0f6001adae0f70f

SHA1 hash:

d42d5732c12563a634127b6460506718a7d8e67f

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/e3d46753-f74c-4bd0-95ba-ab0066ae81ab/

Parent samples :

1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
7cfdbb46f90befe58e3f7487c9a807328f69c223fa0fc240ce292bb7d85ef099
17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1
1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11

SH256 hash:

17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1

MD5 hash:

283a50a3487a6d99a24e96d7c2e9378e

SHA1 hash:

adea4f4e4c405451716cd5432cc7d2e667d3055f

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/e3d46753-f74c-4bd0-95ba-ab0066ae81ab/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/401556/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample