MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 900390a8f50e7b8996683d25a591af57297de4b4727cdc83d425c7b010b97ab3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 900390a8f50e7b8996683d25a591af57297de4b4727cdc83d425c7b010b97ab3
SHA3-384 hash: d1bab509969091ca006c90d12472fd10a491c2f2e79084dd9c5077d7234befb92f5a4175e7e87bb23a8bef1a9dcf69ef
SHA1 hash: bf81abd9e809883f043e80b9f9bbdd3ec28be9ba
MD5 hash: 4714adda6a2fa66c85628fcf4b29185c
humanhash: ohio-colorado-golf-undress
File name:Specyfikacja dokumentu zakupu.scr
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'019'288 bytes
First seen:2023-06-28 15:04:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b2ffe640086070c19351a52301f6fb90 (2 x ModiLoader, 2 x Formbook, 1 x RemcosRAT)
ssdeep 12288:bWI+n1cF0p4WhPQbXfu/i7Nx29T1CWaXqIov5n0fc8MMvdgV25wqYyEyHcsbOonh:b28tWhPKXf9PvXqgfvcQrEyHFbOwxr
Threatray 2'143 similar samples on MalwareBazaar
TLSH T18525BF57A5C08477C9B266784F8F96F4BC2D7E243938BC05BAD03A5C6BB635138192B3
TrID 35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
32.8% (.SCR) Windows screen saver (13097/50/3)
11.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70f8ecdac6e6c0d0 (4 x Formbook, 3 x ModiLoader, 2 x RemcosRAT)
Reporter threatcat_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Specyfikacja dokumentu zakupu.scr
Verdict:
No threats detected
Analysis date:
2023-06-28 15:07:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91c1b913-f98e-41a9-9520-21c31ad853dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403595/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.10021.31663.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/93996/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control formbook keylogger lolbin masquerade modiloader overlay packed remcos remote
Link:
https://www.filescan.io/uploads/649c4c20e1b9083ea6db9f08/reports/7fe9846b-7ccb-4c06-aaaa-25ec5fbe8c32/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/900390a8f50e7b8996683d25a591af57297de4b4727cdc83d425c7b010b97ab3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4780822c-7e64-49ca-b22b-aece442a89a6
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1262765
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/900390a8f50e7b8996683d25a591af57297de4b4727cdc83d425c7b010b97ab3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 04:22:15 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sabzbkhvbz5ytftihus2lenpk4ux3zfuoj6nza6uexd3aefzpkzq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f528143fdfebee5cce0397910269972a5ed33b314f5a91db93bc23c967be73f
ModiLoader
1c24ed06a4d38c863c4016a0489f66934b9167269b958a17dcdbb6ecae3baf18
ModiLoader
55b379ec8cd752f104605bdbd88048c1c3b49c328b393ba496494a118ef5ae16
ModiLoader
5e75e6201d276c99cbac6caf0e2ddca24e0937867fd141c4fa3a70fdeee7782d
ModiLoader
8c80ec1c91dcd77ea0be5d0e53e289a6bc0ed764a12f9262ba979f579bb25591
ModiLoader
a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445
ModiLoader
c1bcaa3723fd87f8a0a537c14ecf7e5852a69d33995333b40a7a475eb2e1696c
ModiLoader
+ 2'133 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:yak back persistence rat trojan
Link:
https://tria.ge/reports/230628-sf6jsaba71/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
79.110.63.178:8974
plunder.jumpingcrab.com:8974
plunder.dynnamn.ru:8974
plunder.duckdns.org:8974
plunder.dedyn.io:8974
Unpacked files
SH256 hash:
aa2269ba6fab21ea4105e3ded1262c1d4877bf604327ced353cabd3a721be1fb
MD5 hash:
3ae0e46d9e6fd788e8819e0511bf7a34
SHA1 hash:
7d2edf4722e775fe62997bd174b671a946ff1741
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/faf69b14-c17b-484f-8d31-36b75addb881/
SH256 hash:
900390a8f50e7b8996683d25a591af57297de4b4727cdc83d425c7b010b97ab3
MD5 hash:
4714adda6a2fa66c85628fcf4b29185c
SHA1 hash:
bf81abd9e809883f043e80b9f9bbdd3ec28be9ba
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/faf69b14-c17b-484f-8d31-36b75addb881/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/900390a8f50e7b8996683d25a591af57297de4b4727cdc83d425c7b010b97ab3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe 900390a8f50e7b8996683d25a591af57297de4b4727cdc83d425c7b010b97ab3

(this sample)

  
Dropped by
ModiLoader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/403595/

Comments