MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 16


Intelligence 16 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187
SHA3-384 hash: 4434fd71fefbb1d9d3079da9560b4deb8cd3ef4d2fcafc6a0b1ee598785ae4d6241bc5ccc8dfd98b104b9493e6581756
SHA1 hash: e0f363f96c4c35714c326083cb62f02fcb89d6e7
MD5 hash: 49e5ce66b8d6ae7af39d91cdc498a57a
humanhash: nine-steak-seven-salami
File name:ENQUIRY (STAPL3355ENQ2025-26).exe
Download: download sample
Signature Expiro
Create hunting rule
File size:1'085'440 bytes
First seen:2025-08-01 08:59:40 UTC
Last seen:2025-08-12 15:06:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d52a0849f90034ee3f970f3ab54c21a3 (1 x Expiro, 1 x RemcosRAT)
ssdeep 12288:Zyz4KNXdrZhEq44NA5GzPv2dTHo1PE/owqJHYYsOX2edNmYefwxUdx5k:Zo9RhEq44BzPv2d89E/8dr/mYefwx
Threatray 184 similar samples on MalwareBazaar
TLSH T1B4357D12F1E00833C0B33DB45F57C2A7662AAE5D1E14E9472AF47C8E3E3D6627C1A55A
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon ccca9aba9a96d4d2 (1 x Expiro, 1 x RemcosRAT)
Reporter Anonymous
Tags:exe Expiro

Intelligence

File Origin
# of uploads :
2
# of downloads :
31
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ENQUIRY (STAPL3355ENQ2025-26).exe
Verdict:
Malicious activity
Analysis date:
2025-08-01 09:00:37 UTC
Tags:
delphi m0yv evasion stealer ultravnc rmm-tool exfiltration smtp agenttesla netreactor
Link:
https://app.any.run/tasks/d287f85e-b585-468a-8603-01143363c2ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18271/
Detection(s):
Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688c82390b4775fb2134839a
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Connection attempt to an infection source
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger obfuscated
Link:
https://www.filescan.io/uploads/688c8235dc44c87d077a0331/reports/aa4c1447-60c5-45fd-9cd5-2ac1ff7a3810/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f4471f0-bb89-4bdf-ae85-2f11434e5b6d
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/49e5ce66b8d6ae7af39d91cdc498a57a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 05:47:31 UTC
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgrrbgnlbwhnaannbic7i3o5gnfvqndtarykcqzh5r7nn5opmgdq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
expiro
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
1b1d1a65961e2c873037316cddc4c2dd55214efa43fa32645a2d0571b1f16ff1
Expiro
51bde105a641629948c300d04aecece518f2e96913c48463dcc508a026768120
Expiro
609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
Expiro
796d34138fdc6bd505ee0babe7170a11d7c1f7bb5c4171732a64c895aa0872d1
Expiro
9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
Expiro
ba9cf00d60f76f592641f69effa222c8ba1f634b022199495607499d0715c166
Expiro
d213d25014d6b4984579becc0a556b730d720c736d5f1b87b697e8bc4eccfd13
Expiro
dfbcf48f3db81d8626fc81d445d828e1f51839ea43f959e35ccaa476c44e9373
Expiro
error
Expiro
fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49
Expiro
+ 174 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/250801-kylckawtgx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Modiloader-10042434-0 Expiro
YARA:
n/a
Link:
https://app.threat.zone/submission/4bbfbaae-ff91-426e-9a02-50eb7f8c5e73
Unpacked files
SH256 hash:
49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187
MD5 hash:
49e5ce66b8d6ae7af39d91cdc498a57a
SHA1 hash:
e0f363f96c4c35714c326083cb62f02fcb89d6e7
Link:
https://www.unpac.me/results/2723c3af-9fb0-4f50-a542-a60e39d74639/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49a31099ab0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49a31099ab0d8ed001ad0a05f46ddd334b5834730470a14327ec7ed6f5cf6187

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_ebf62328
Create hunting rule
Author:Elastic Security
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18271/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_TRUST_APIUses Windows Trust APIwintrust.dll::WinVerifyTrust
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowA
user32.dll::OpenClipboard
user32.dll::PeekMessageA

Comments