MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48
SHA3-384 hash: f7d6db95cd4f71de1b45b4e03c5d9957c821332c7fd296bda736d8c0caddf1af1810c21926bbaec0597b03f2aa5aefeb
SHA1 hash: cd0a45d9e2ddc381addf1ac3cf845be7eb9cdcd3
MD5 hash: e233a218368b609cb0d55cdc1aca565e
humanhash: cardinal-shade-iowa-zulu
File name:Qdwqyhltorobof.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'049'088 bytes
First seen:2023-08-16 06:40:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bdf6349f4337edc78aae879092566618 (1 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep 12288:q+V0OGY20hP4SpWD4XIiIlYqHrvd6FE3TNDJrYb0fZp0B0Yi7fLssVcgbbFWWRpj:qWAs6lD4XNVQrvd/DFR20fI0JzR/RYA
Threatray 6 similar samples on MalwareBazaar
TLSH T11125BF37EA929C37D172157C9F0A1BE47C2C7FA309286446AEE83D49AF3D650353C266
TrID 49.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
15.5% (.SCR) Windows screen saver (13097/50/3)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4e084849496d09c (1 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
Reporter lowmal3
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Qdwqyhltorobof.exe
Verdict:
Malicious activity
Analysis date:
2023-08-16 06:44:24 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/d52848b0-7612-4499-af8c-c13075dece75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442958/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102932/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control formbook keylogger lolbin modiloader obfuscated
Link:
https://www.filescan.io/uploads/64dc6f805768e4132ea61886/reports/ea7937d9-c316-47dd-9b25-f4008b726826/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/841203cf-e46d-4058-a1e5-40b4a07ccb4c
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1291910
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1291910 Sample: Qdwqyhltorobof.exe Startdate: 16/08/2023 Architecture: WINDOWS Score: 96 61 web.fe.1drv.com 2->61 63 onedrive.live.com 2->63 65 2 other IPs or domains 2->65 75 Found malware configuration 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 2 other signatures 2->81 12 Qdwqyhltorobof.exe 1 7 2->12         started        16 Tgmacggv.PIF 2->16         started        signatures3 process4 file5 55 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->55 dropped 57 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->57 dropped 59 C:\Users\Public\Libraries\Tgmacggv.PIF, PE32 12->59 dropped 87 Drops PE files with a suspicious file extension 12->87 18 cmd.exe 1 12->18         started        21 WerFault.exe 24 16 12->21         started        23 SndVol.exe 12->23         started        89 Multi AV Scanner detection for dropped file 16->89 25 colorcpl.exe 16->25         started        27 WerFault.exe 16->27         started        signatures6 process7 signatures8 69 Uses ping.exe to sleep 18->69 71 Drops executables to the windows directory (C:\Windows) and starts them 18->71 73 Uses ping.exe to check the status of other devices and networks 18->73 29 easinvoker.exe 18->29         started        31 PING.EXE 1 18->31         started        34 xcopy.exe 2 18->34         started        37 8 other processes 18->37 process9 dnsIp10 39 cmd.exe 1 29->39         started        67 127.0.0.1 unknown unknown 31->67 51 C:\Windows \System32\easinvoker.exe, PE32+ 34->51 dropped 53 C:\Windows \System32\netutils.dll, PE32+ 37->53 dropped file11 process12 signatures13 83 Adds a directory exclusion to Windows Defender 39->83 42 cmd.exe 1 39->42         started        45 conhost.exe 39->45         started        process14 signatures15 85 Adds a directory exclusion to Windows Defender 42->85 47 powershell.exe 13 42->47         started        process16 process17 49 conhost.exe 47->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-09 02:33:49 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxwa6b356cd7hyoa4l2jdfgagyv7k3b7wo5br6tawsmusxtst5ea._file
Verdict:
malicious
Similar samples:
3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c
ModiLoader
43ff884128b4cee041776015abb9692e42db2cbf8b5a4364859d346c809ec5cd
ModiLoader
d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869
ModiLoader
dc99dacdbd53fe4163b9e32e7ef490b354d8c0c81089614ceae1ecada11263bd
ModiLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/230816-hfsb2sab5t/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
570d50b649829cd3e6f62c02ef89e69c0886e9f1664cceb5ac57977fa23f4eb8
MD5 hash:
85b7b59e9888d3885a1068cb2e0350ed
SHA1 hash:
e550b26fd606cfad460ebd774e42541c57e22851
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/a26b5ca1-1141-499c-b83d-29d8b1c54b39/
Parent samples :
dc99dacdbd53fe4163b9e32e7ef490b354d8c0c81089614ceae1ecada11263bd
3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c
3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/a26b5ca1-1141-499c-b83d-29d8b1c54b39/
SH256 hash:
3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48
MD5 hash:
e233a218368b609cb0d55cdc1aca565e
SHA1 hash:
cd0a45d9e2ddc381addf1ac3cf845be7eb9cdcd3
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/a26b5ca1-1141-499c-b83d-29d8b1c54b39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:MALWARE_Win_ModiLoader
Create hunting rule
Author:ditekSHen
Description:Detects ModiLoader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:without_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any url
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 3dec0f077df087f3e1c0e2f49194c0362bf56c3fb3ba18fa60b499495e729f48

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442958/

Comments