MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8
SHA3-384 hash: efe23bdb96e515aa9cada5e1dc3a0dddffaf9cf110f55eba0abcf7e3febf30cb655c27a476c89ff032a0d6aa614182b7
SHA1 hash: b56c5c68a73a05a07601656431f364aa7454b5ac
MD5 hash: 4a084f1eed5d0e74da8a6683954e93d4
humanhash: chicken-utah-mike-music
File name:El nuevo pedido está en la lista adjunta..exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:967'680 bytes
First seen:2022-09-12 18:55:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15f300867bc81185bb5bfe58b28923ad (3 x ModiLoader, 1 x Formbook, 1 x DBatLoader)
ssdeep 12288:WblUacng1lreJF4PHWGtohtFpVfVGqnDo0yDTW0kVrhf7fvUO:WlU3ngaJF4P2NHPVdLo0t0kVlvp
Threatray 81 similar samples on MalwareBazaar
TLSH T1A0259EE6B2F08B33C053167ECB3B729DDE6DBE501924A44977E53948CF35680346AA1B
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter 0xToxin
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
El nuevo pedido está en la lista adjunta..exe
Verdict:
No threats detected
Analysis date:
2022-09-12 18:57:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61a3dd76-b388-4687-a90f-2c2e53d07181

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309530/
Detection(s):
Win.Dropper.LokiBot-9938605-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37482/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive greyware keylogger shell32.dll
Link:
https://www.filescan.io/uploads/631f809cfec190e8fc3e2cee/reports/c147041e-759b-41af-acc6-e049e99a5681/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abb557fc-36b0-473b-a84a-fc2071eb308a
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069033
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Deletes itself after installation
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701565 Sample: El nuevo pedido est#U00c3#U... Startdate: 12/09/2022 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->54 56 5 other signatures 2->56 9 El nuevo pedido est#U00c3#U00a1 en la lista adjunta..exe 1 17 2->9         started        14 Ugmyxfwr.exe 13 2->14         started        16 java1.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 42 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49714, 49716 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->42 44 192.168.2.1 unknown unknown 9->44 48 3 other IPs or domains 9->48 38 C:\Users\Public\Libraries\Ugmyxfwr.exe, PE32 9->38 dropped 40 C:\Users\Public\Libraries\Ugmyxfwr, data 9->40 dropped 62 Creates multiple autostart registry keys 9->62 64 Injects a PE file into a foreign processes 9->64 20 El nuevo pedido est#U00c3#U00a1 en la lista adjunta..exe 5 5 9->20         started        46 13.107.43.13 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->46 66 Multi AV Scanner detection for dropped file 14->66 file5 signatures6 process7 file8 34 C:\java1\java1.exe, PE32 20->34 dropped 36 C:\Users\user\AppData\Local\...\install.vbs, data 20->36 dropped 58 Creates multiple autostart registry keys 20->58 24 wscript.exe 1 20->24         started        signatures9 process10 signatures11 60 Deletes itself after installation 24->60 27 cmd.exe 1 24->27         started        process12 process13 29 java1.exe 14 27->29         started        32 conhost.exe 27->32         started        signatures14 68 Multi AV Scanner detection for dropped file 29->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8/
Threat name:
Win32.Trojan.Hesv
Create hunting rule
Status:
Malicious
First seen:
2022-09-12 16:12:22 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkhq4hch7drjzi7yoqpi3rahs3ypjlbxiw3cbrqwl64a6ncgwkua._file
Verdict:
malicious
Similar samples:
31a18887102d71eaea7c51ba2e52093090ba414ef837cf04297dc147475a620e
ModiLoader
44079f7afc8f2b9900564b14b8e3e9e5b8de7ad0b4a1d514e5ff644def494d4e
ModiLoader
51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a
ModiLoader
6810f77478c037f70109dfb99877a6dd3bd80496ee7cc304027f2803a2209ab5
ModiLoader
838646bc9841804d7671fb25b3fd5d3e67e91c1d341c7125ce63ad436ada5f26
ModiLoader
90ac445f282c66552b08d176d123635537170009fa83988ce5011aef18ba5fb9
ModiLoader
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
ModiLoader
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
ModiLoader
fe323cd5a46b973a6e0ade0cab099d0f929351820421393b29c2a63df6cdd527
ModiLoader
+ 71 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/220912-xlcacahffn/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
2f372058fe46bf0267b2d385b835ef8f0b31890af8830795813c4265546d6a62
MD5 hash:
bacdfc7245220f022d00ebfb05e2f204
SHA1 hash:
6f7ea257c3e3018177f04757216a703c74dd2c1c
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/8f09bdd5-c8ab-4bf3-9127-025c4d73ecc4/
Parent samples :
7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8
3048ff7c5057bf7ddf5e78dba7e21ba6c0093c6385b03a6c57e309e56c765d89
dd248dcb742175c4ea98e085fc1a9a9dcad0feedee9a1c66006025de163a9789
b5d874ba88076fe352d977028ec0b46fb35d7ebb01ae4bec0e9e02e25c42d96c
SH256 hash:
7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8
MD5 hash:
4a084f1eed5d0e74da8a6683954e93d4
SHA1 hash:
b56c5c68a73a05a07601656431f364aa7454b5ac
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/8f09bdd5-c8ab-4bf3-9127-025c4d73ecc4/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a8f0e1c47f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 7a8f0e1c47f8e29ca3f8741e8dc40796f0f4ac3745b620c6165fb80f3446b2a8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/309530/

Comments