MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
SHA3-384 hash: 7630946d8a877764b9e12f7fded214d55812fabf998041dd6b1b0f06074638da114ee6d3212496fd492993ee5e2d7118
SHA1 hash: 159dc10d4a31357cf3338f907107eaa0a46ffe32
MD5 hash: da5f45404106b836329d013ef4eda930
humanhash: blossom-quebec-cup-mars
File name:z97Sbersnmiavfecl.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:764'416 bytes
First seen:2023-07-07 12:24:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 773ef4dec25043142e4c0b01d6341cd7 (2 x ModiLoader, 1 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 12288:3GR+Vd0ckynvLwdJgNsycuL573BhZWPNFWrsEL09pmHtJNNW/8kaPQ:3GAVk4Mwom77WGrs9StJNSaP
Threatray 3'254 similar samples on MalwareBazaar
TLSH T167F4A0D16EE05573C17356788D07E3688C29BE342A2C584A5BF9ED9C9F39FC2381A193
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 81bcb4c6c4c6c2c4 (2 x ModiLoader, 1 x RemcosRAT)
Reporter FXOLabs
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z97Sbersnmiavfecl.exe
Verdict:
Malicious activity
Analysis date:
2023-07-07 12:28:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82ea2006-3c1e-4590-bb87-9df4060bdb09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/410687/
Detection(s):
SecuriteInfo.com.Variant.Barys.432110.19941.5356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96299/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/64a80423bf106cbffd375864/reports/c7bc5992-0d5b-4551-a9c3-5c1665af31c3/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6791d41e-eec0-497c-bf79-1ca134d5b85f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-06 08:47:44 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hp5k65bw7e677arkrqhyd4xiaxy4nbk5ukpb5y6523iyybdujlua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
45d68cb2a4e2ea11ba073766a2de69759539026cc66a0215f48ff46342e3ed84
ModiLoader
74b472ebfa120b3c19287ed837c243b65de17bd647eea036d338b17f5e2ec548
ModiLoader
99cd4e51fb0f2d9ba76ee4d12afd5c3cd096f0c390ecf657ea3a3d78158451ef
ModiLoader
a6cc6af418510edc207b3468d29e80afecce2aa47a683b02bc0da39c60505801
ModiLoader
b2d9890dbbc344c79e99127f7aebf3f459349081c2033e5288128bd2cb37a8b4
ModiLoader
bec4ef3573fb041d4a688c353f4682186f2bfe3918e9add4b9c5ceda5ec2627c
ModiLoader
e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98
ModiLoader
+ 3'244 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat trojan
Link:
https://tria.ge/reports/230707-plmgbaaa7w/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
7cfa1816e8831017cef51eb1288be06b840de92df09e8a2d576b9576a96b7e40
MD5 hash:
501abfcdeea23d13a5864506b71b8cbb
SHA1 hash:
6f02550bbd4347be86bb5b0c1c58c6c70c3f8250
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/81d28803-b647-400a-9976-b5d51bde4abb/
Parent samples :
4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
9e0e03b59e2a06a0c63e11e5c031aca3cda0119b77d90e256e45aab01830e827
9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917
SH256 hash:
3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8
MD5 hash:
da5f45404106b836329d013ef4eda930
SHA1 hash:
159dc10d4a31357cf3338f907107eaa0a46ffe32
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/81d28803-b647-400a-9976-b5d51bde4abb/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bfaaf7436f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 3bfaaf7436f93dff822a8c0f81f2e805f1c6855da29e1ee3ddd6d18c04744ae8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/410687/

Comments