MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e
SHA3-384 hash:	ca0a21036a828b5f8c7244bfdb3973249e57385e7921e89bcccac538e5c9d558d3880904f8f82649fa8ae0a900735547
SHA1 hash:	e7e6aff33e812ba3b85514999c973040886aaad6
MD5 hash:	5d7429eb8d2ebde297cbddb975eb3af5
humanhash:	hamper-alanine-potato-mountain
File name:	SecuriteInfo.com.Win32.MalwareX-gen.26830.19318
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	969'216 bytes
First seen:	2023-09-13 06:33:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2ee11402fede6929cd719a165d19a6b3 (2 x ModiLoader, 1 x Formbook)
ssdeep	12288:+L5nRsetSwLTUSkRj2keaAigv4ixgKbR5hjy3H31RDHW4Qek5DkJ:+RHSMTL3aKAod5h23H3fGe9
Threatray	3'558 similar samples on MalwareBazaar
TLSH	T139254BF4A2B81CB5F5ADB679C80AB3D00DFF6AD96950188585B9384B18B7F907F2401F
TrID	74.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 12.2% (.EXE) InstallShield setup (43053/19/16) 4.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 3.7% (.SCR) Windows screen saver (13097/50/3) 1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	d4d4d4d4d4d4d4c8 (4 x ModiLoader, 1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.26830.19318

Verdict:

Malicious activity

Analysis date:

2023-09-13 06:36:31 UTC

Tags:

installer dbatloader

Link:

https://app.any.run/tasks/15368c55-8207-4e37-882e-933d0212ac89

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

ModiLoader

Link:

https://www.capesandbox.com/analysis/448307/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.26830.19318.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control keylogger lolbin

Link:

https://www.filescan.io/uploads/650157dbf880d6610cae9f45/reports/01fc7cf0-1003-4259-a7f9-072598f5c73b/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aae5054c-d021-4e35-8af8-c447302a24ec

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1308376

Signature

Allocates many large memory junks

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-09-13 05:45:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=quwmb4rouowofbllt5pmgkuairuct5usx3ksjwcdsj6mwkahiopa._file

Verdict:

malicious

ModiLoader

151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f

ModiLoader

4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875

ModiLoader

6988ca1c014e55ad0ff7c394a9be532bf01fe531d68dfaba70ea106f9db787cb

ModiLoader

959fc8883e6b1d4ab77f9738792435e2dae1969530f36d2672db6cb397778687

ModiLoader

9c3860c6744d8b2718e1109e327795014997a81b0e21706a96242d0f8d52f55b

ModiLoader

a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f

ModiLoader

b747df969c4c80638e92b68759a8ced53c3d14bf705ad0fece792a566c9f3de9

ModiLoader

bcb4b428f2487d1dfc2d5f36fdd7f334e7915a5fad15f46835f6a8420002c327

ModiLoader

d0294bc11b1c8e0655189aba2ade4ffb54da6f36e2afc2ef2e0045a5a17203bf

ModiLoader

+ 3'548 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader persistence trojan

Link:

https://tria.ge/reports/230913-hbrvqace67/

Behaviour

Enumerates system info in registry

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e

MD5 hash:

5d7429eb8d2ebde297cbddb975eb3af5

SHA1 hash:

e7e6aff33e812ba3b85514999c973040886aaad6

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/d695d32c-f829-4f18-9f88-bae5ae8968a2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/852cc0f22ea3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/448307/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample