MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
SHA3-384 hash: edd8a646d61e643ceceb7def12fdcbe0bcfaca68ea09ea8b1137984bbf3c7ae4820f9779910ce44acce954ad36b5cdfd
SHA1 hash: d93b3f6075ae0469cab4435f8d1d94827e203582
MD5 hash: 3a6cc06733734a677baf1970839612e5
humanhash: one-video-hotel-beryllium
File name:Advance Remittance k.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'262'080 bytes
First seen:2023-08-29 11:10:54 UTC
Last seen:2023-08-29 11:40:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 114f57eaa448137f2523bc685071ac0b (3 x ModiLoader)
ssdeep 24576:Awv/h2d7P9f7zJDl7uquzXUQu+tkGdKiNd:Awv/8Vz/3sEQu+/EiNd
Threatray 8 similar samples on MalwareBazaar
TLSH T1C845D026F3B1843BF072997888D79664DC1CBE617904AC4B6AFC3D5C5B3A39078191AF
TrID 74.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
12.2% (.EXE) InstallShield setup (43053/19/16)
4.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.7% (.SCR) Windows screen saver (13097/50/3)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 70c88c9186a680d8 (3 x ModiLoader)
Reporter Racco42
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Advance Remittance k.exe
Verdict:
Malicious activity
Analysis date:
2023-08-29 11:23:43 UTC
Tags:
installer dbatloader
Link:
https://app.any.run/tasks/19db5af3-b225-410d-bcdc-eec38bd34a1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445066/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.1667.27945.28754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/64edd2495ec4a86232619beb/reports/956b737c-8604-4e49-b42c-78a189be5b1c/overview
Verdict:
Malicious
Labled as:
Ser.Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43b68eee-1ac1-48fe-81e5-91204d4db43a
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1299381
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1299381 Sample: Advance_Remittance_k.exe Startdate: 29/08/2023 Architecture: WINDOWS Score: 100 39 www.9518837.com 2->39 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 5 other signatures 2->65 10 Advance_Remittance_k.exe 1 2 2->10         started        15 Tftlygdj.PIF 2->15         started        17 Tftlygdj.PIF 2->17         started        signatures3 process4 dnsIp5 41 web.fe.1drv.com 10->41 43 vewdva.ph.files.1drv.com 10->43 49 2 other IPs or domains 10->49 37 C:\Users\Public\Libraries\Tftlygdj.PIF, PE32 10->37 dropped 71 Drops PE files with a suspicious file extension 10->71 73 Writes to foreign memory regions 10->73 75 Allocates memory in foreign processes 10->75 19 colorcpl.exe 2 10->19         started        45 web.fe.1drv.com 15->45 51 3 other IPs or domains 15->51 77 Antivirus detection for dropped file 15->77 79 Multi AV Scanner detection for dropped file 15->79 81 Machine Learning detection for dropped file 15->81 22 colorcpl.exe 15->22         started        47 web.fe.1drv.com 17->47 53 3 other IPs or domains 17->53 83 Injects a PE file into a foreign processes 17->83 24 SndVol.exe 17->24         started        file6 signatures7 process8 signatures9 67 Maps a DLL or memory area into another process 19->67 69 Queues an APC in another process (thread injection) 19->69 26 qFZBJVBKLfsMhNfVw.exe 19->26 injected process10 process11 28 wscript.exe 13 26->28         started        signatures12 85 Tries to steal Mail credentials (via file / registry access) 28->85 87 Tries to harvest and steal browser information (history, passwords, etc) 28->87 89 Modifies the context of a thread in another process (thread injection) 28->89 91 Maps a DLL or memory area into another process 28->91 31 explorer.exe 28->31 injected 35 qFZBJVBKLfsMhNfVw.exe 28->35 injected process13 dnsIp14 55 www.vlamodel.one 3.64.163.50, 49745, 80 AMAZON-02US United States 31->55 57 System process connects to network (likely due to code injection or exploit) 31->57 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 16:05:00 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=re6f6hbz3h6e4kjcwsz7bukorv7gb26lrrskgkt2u4i4rij46n7q._file
Verdict:
malicious
Similar samples:
0a1d374fc74a19fafd920caee9a08e1a999e633d098b8ed02aebf7ad9a66281a
ModiLoader
53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841
ModiLoader
61a3e788d1ae18d12df0bf7198a922c14e998c195b520a5543b43814b8bcbfa0
ModiLoader
781ffcd3281973496019906d76fc8c52786e7ab953292d8bab44865c8d6c9207
ModiLoader
8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5
ModiLoader
d7d47b0b0aa55363efdf394d4c3ad4dc6e175edb80e22ae6e7b37cf3bc1d32d1
ModiLoader
e4688b491eef2134a09a6c4061071f2de9d71df4c07f0aef23aef84f51688d38
ModiLoader
e9352253e3211314faee670cf457e3f6732d7d93eb52f46aebf4f79cb22cbf7e
ModiLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230829-m99kmscb34/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
MD5 hash:
3a6cc06733734a677baf1970839612e5
SHA1 hash:
d93b3f6075ae0469cab4435f8d1d94827e203582
Detections:
DbatLoaderStage1
Create hunting rule
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/736b756d-01f1-4a9d-9e06-b8426e3264f6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/893c5f1c39d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445066/

Comments