MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502
SHA3-384 hash: 8dd18247db091246c35d849b2ba3d5d204ff9a90769dc1a7f90489913b92b820229f4e7b0a6a0e7511232fe7fb5e5bf4
SHA1 hash: 90b08b9bde911152cc89475a0bed6acdbaa518a8
MD5 hash: e8055021bc8341f5a008c14ad2550890
humanhash: rugby-romeo-twelve-mirror
File name:muestrasXdeXproductosXpdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'000'960 bytes
First seen:2022-10-10 09:28:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash faa13790e0ceb8f1607ec55da2778103 (3 x ModiLoader)
ssdeep 24576:KatTADYIErC0I2D3QauLMMQUtVSn52Ao:KtxnLy+Sn52A
Threatray 152 similar samples on MalwareBazaar
TLSH T170259F22F6D04933C177197C8D1B53685DEBBE202D286B462BE57D4C1F3AA8179263B3
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 326aaa92aa8e96aa (2 x ModiLoader, 1 x BitRAT)
Reporter lowmal3
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318293/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.10944.30470.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42197/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll wscript.exe
Link:
https://www.filescan.io/uploads/6343e5de1ddf36bcc3f43580/reports/110ebbc6-d7c8-4e68-92d5-5973091c098c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e27a5d04-a158-4668-9980-23a3b54b1b9d
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1087428
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 08:22:24 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7jswkxwhew2vkoqrwun5qym6ee6qlnfo6fldr63q67dzdgjcuba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3930b93c51a49f62479fe5886e1ab60105a54824fbfafcd42a6d92405d944af1
ModiLoader
42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197
ModiLoader
7889fbae0f292b70c50119b5069bb64425189c59c818336bb49c9c5638edbe03
ModiLoader
91d68196a794e6e1212c23ab237cf1732ee2f52d4528c61c001c0fd30f3b6351
ModiLoader
bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c
ModiLoader
d633169a59bd0ecaeda8ed764374657efdf49d963f66f8949efcb2549707d498
ModiLoader
f2ce7756c2480374eb046877c871235d23b9b7b5e2b3cbf32b2608070399efd1
ModiLoader
+ 142 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/221010-lfww1sbdb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Blocklisted process makes network request
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fbc47678-d4a2-4326-8064-2ad54487fa30
Unpacked files
SH256 hash:
c54e00ceeec27e2b0624e5b630b1ace61537ad33da437185405dbc70a666623f
MD5 hash:
f07429fc678461954273bff02af63983
SHA1 hash:
439c7c989252dc0a4b257c4214f82e3bf0df7d96
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/e56776cc-9135-4e06-bacf-aeae925e1f29/
Parent samples :
27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502
0866f6ad4a9533fb2f28aab0e42c72c8127c4f7fbd5fea2332747e0ddc169da7
f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340
2d3944cb25f2bf75d15aa54edc421c7ea48528a72369d0662dc6c87c257cebf6
SH256 hash:
27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502
MD5 hash:
e8055021bc8341f5a008c14ad2550890
SHA1 hash:
90b08b9bde911152cc89475a0bed6acdbaa518a8
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/e56776cc-9135-4e06-bacf-aeae925e1f29/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/27d32b2af639/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/318293/

Comments