MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
SHA3-384 hash: 6aaeacdcb042dda99671973955c0414903abe0bf87f549c48e2db38672cb046be5aba89efbacaea19c36f4c89f38da07
SHA1 hash: 66ab4a689c95d7659cd324128aaad16c9e58bf0b
MD5 hash: 75556fee86769929761d838272b0fa37
humanhash: robin-bakerloo-mobile-triple
File name:EFT TransactionsUSD2198.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:785'120 bytes
First seen:2023-06-21 08:26:18 UTC
Last seen:2023-06-21 11:24:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02d762f1aaf16e6c8e03fe60f0c9d48e (2 x ModiLoader, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:eTlUbdpW5/5o8FF2FENOeqBWJz4RC7A/tkCizoHm8gn7hQELz5dHP:eTqC/5otAqYOo8/tkCizoH9gnGEnb
Threatray 106 similar samples on MalwareBazaar
TLSH T131F4BFA3B6B04137C3F32E7D9842E7E9B9287D6129143A196EF45A087F78281783475F
TrID 51.9% (.EXE) InstallShield setup (43053/19/16)
17.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
15.7% (.SCR) Windows screen saver (13097/50/3)
5.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e3e1e3f1d9c9dbe2 (11 x AveMariaRAT, 9 x ModiLoader, 2 x Neurevt)
Reporter cocaman
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
EFT TransactionsUSD2198.exe
Verdict:
Malicious activity
Analysis date:
2023-06-21 08:29:18 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c75909f4-c9ef-482f-9c45-8ee1dea389f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401260/
Detection(s):
SecuriteInfo.com.Variant.Zusy.470739.3834.27880.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/6492b45863e40cba68019aeb/reports/0fbf2ebc-90d5-442e-81ff-d6791a0d06da/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80f2e198-ecdc-4fb5-a88b-c0de1eb330ac
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258872
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 891892 Sample: EFT_TransactionsUSD2198.exe Startdate: 21/06/2023 Architecture: WINDOWS Score: 100 30 donelpacino.ddns.net 2->30 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 8 other signatures 2->60 7 EFT_TransactionsUSD2198.exe 1 3 2->7         started        12 Dxuddpyf.bat 2->12         started        14 Dxuddpyf.bat 2->14         started        signatures3 process4 dnsIp5 32 web.fe.1drv.com 7->32 34 onedrive.live.com 7->34 40 2 other IPs or domains 7->40 24 C:\Users\Public\Libraries\fypdduxD.bat, PE32 7->24 dropped 26 C:\Users\Public\Libraries\Dxuddpyf.bat, PE32 7->26 dropped 62 Writes to foreign memory regions 7->62 64 Allocates memory in foreign processes 7->64 66 Sample uses process hollowing technique 7->66 16 fypdduxD.bat 3 2 7->16         started        36 web.fe.1drv.com 12->36 42 3 other IPs or domains 12->42 68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 20 fypdduxD.bat 1 12->20         started        38 web.fe.1drv.com 14->38 44 3 other IPs or domains 14->44 74 Injects a PE file into a foreign processes 14->74 22 fypdduxD.bat 1 14->22         started        file6 signatures7 process8 dnsIp9 28 donelpacino.ddns.net 80.85.153.166, 4545, 49682, 49683 CHELYABINSK-SIGNAL-ASRU Russian Federation 16->28 46 Detected unpacking (changes PE section rights) 16->46 48 Detected unpacking (overwrites its own PE header) 16->48 50 Contains functionality to check if Internet connection is working 16->50 52 5 other signatures 16->52 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-20 22:44:02 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ds3rob4ulporexzc6u5qszpleu4msgvnpp73f7z5brbatvvd6epq._file
Verdict:
malicious
Similar samples:
2876a4b04f3d5d2803ae93fb9d3a827f2edbabf44e4327ac4dfa7b71a55b81ef
ModiLoader
463b268cd4afa5d7aada344628ece50e60ae207254032ce2ac0b510c3b8596a7
ModiLoader
511770fdae6585f7a8bd8cd9f77b5f214744d0ff2ed418237a2fd18434deda7e
ModiLoader
ccc96a6e23372009897887bc7ee8593ab1f0713d093d002148fea025fffca846
ModiLoader
e6d89604af1df906d2a20791f6cf0444ab5d489b94b69977b5fd9db4b1fa5c4f
ModiLoader
ee6b50f8cadc8d210bca98b2a164f66e6a48317450edf99a2c84ee2cde5a8338
ModiLoader
+ 96 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/230621-kcemwshe3x/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
donelpacino.ddns.net:4545
Unpacked files
SH256 hash:
d9d75897f3e27e941c6e90a6142c1c44c3a6251ddb73a6e1059a77af6eb7d02b
MD5 hash:
7df1198d0578f28bd0f6001adae0f70f
SHA1 hash:
d42d5732c12563a634127b6460506718a7d8e67f
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/3bec0d88-1936-4e3c-b84e-935db3306622/
Parent samples :
1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
7cfdbb46f90befe58e3f7487c9a807328f69c223fa0fc240ce292bb7d85ef099
17be5ebb05d5ecda4b88767177423b1198ec32869d58f244a9a63f7d2133f0f1
1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11
SH256 hash:
1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
MD5 hash:
75556fee86769929761d838272b0fa37
SHA1 hash:
66ab4a689c95d7659cd324128aaad16c9e58bf0b
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/3bec0d88-1936-4e3c-b84e-935db3306622/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1cb71707945b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

rar d787cea516be476e4a9d4588cf21a780081f0fa1ca98795daa0a6f4572dc9a76

ModiLoader

Executable exe 1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d787cea516be476e4a9d4588cf21a780081f0fa1ca98795daa0a6f4572dc9a76
Cape
Cape
https://www.capesandbox.com/analysis/401260/
  
Dropped by
MD5 b45ecb730d01ba5dd4396d053a2f6174

Comments