MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2
SHA3-384 hash: 336e80f0db7fea7a48742d3ee4988cbd95b2c935c3ceabe8c2da25a4f5395e3c6877bc8fb49e946b429adcab21d95f19
SHA1 hash: 2ac147f668d8d46a980272c7758782fb03cc4e14
MD5 hash: b045db7fd000286470fcfc5b555be769
humanhash: queen-freddie-oscar-batman
File name:m.bat
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'040'896 bytes
First seen:2023-09-16 11:33:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f898278cbf17fb40d20714dfc2fa658 (2 x ModiLoader)
ssdeep 12288:SIOKbGC9aNYfbw+MmiR60Aigv4ixgKbR5hjy3H31RDHW4Qek5Dk+/+:SIRfa+f5bWZKAod5h23H3fGeK
Threatray 117 similar samples on MalwareBazaar
TLSH T1C2252AF0A3B418B5E0B9B678CB0AB3E04DFF6AD5A92418848679794B5977F503F2401F
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4d4d4d4d4d4d4c8 (4 x ModiLoader, 1 x Formbook)
Reporter r3dbU7z
Tags:bat Downloader exe ModiLoader webdav

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
m.bat
Verdict:
Malicious activity
Analysis date:
2023-09-16 11:35:12 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/0506bb68-9a99-44da-b8aa-fed8daf6fd09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449025/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.7103.16722.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade replace
Link:
https://www.filescan.io/uploads/650592ac43cd377b1e9f0cc7/reports/345c312a-f0aa-45a8-84c7-6d53b2e48e05/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cfdb25c-96e3-421b-be95-2b2cb88c38bf
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309427
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain checking for user administrative privileges
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309427 Sample: m.bat.exe Startdate: 16/09/2023 Architecture: WINDOWS Score: 100 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 12 other signatures 2->89 11 m.bat.exe 6 2->11         started        process3 dnsIp4 61 web.fe.1drv.com 11->61 63 ph-files.fe.1drv.com 11->63 65 2 other IPs or domains 11->65 49 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->49 dropped 51 C:\Users\Public\Libraries\jwzkzxcA.bat, PE32 11->51 dropped 53 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->53 dropped 95 Contains functionality to hide user accounts 11->95 97 Writes to foreign memory regions 11->97 99 Allocates memory in foreign processes 11->99 101 Sample uses process hollowing technique 11->101 16 jwzkzxcA.bat 3 2 11->16         started        20 cmd.exe 1 11->20         started        file5 signatures6 process7 dnsIp8 55 freshwarsmi.ddns.net 154.53.51.233, 49699, 49705, 49708 COGENT-174US United States 16->55 57 freshwarsmiw.ddns.ne 16->57 69 Detected unpacking (changes PE section rights) 16->69 71 Detected unpacking (overwrites its own PE header) 16->71 73 Contains functionality to hide user accounts 16->73 81 7 other signatures 16->81 75 Uses ping.exe to sleep 20->75 77 Drops executables to the windows directory (C:\Windows) and starts them 20->77 79 Uses ping.exe to check the status of other devices and networks 20->79 22 easinvoker.exe 20->22         started        24 PING.EXE 1 20->24         started        27 xcopy.exe 2 20->27         started        30 8 other processes 20->30 signatures9 process10 dnsIp11 32 cmd.exe 1 22->32         started        59 127.0.0.1 unknown unknown 24->59 45 C:\Windows \System32\easinvoker.exe, PE32+ 27->45 dropped 47 C:\Windows \System32\netutils.dll, PE32+ 30->47 dropped file12 process13 signatures14 67 Adds a directory exclusion to Windows Defender 32->67 35 cmd.exe 1 32->35         started        38 conhost.exe 32->38         started        process15 signatures16 91 Adds a directory exclusion to Windows Defender 35->91 40 powershell.exe 23 35->40         started        process17 signatures18 93 DLL side loading technique detected 40->93 43 conhost.exe 40->43         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 23:04:53 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sighp7obnfbuscoxog2jfhna7p26osljjmc3czkstejqos3qetja._file
Verdict:
malicious
Similar samples:
0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95
ModiLoader
1cb71707945bdd125f22f53b0965eb2538c91aad7bffb2ff3d0c4209d6a3f11f
ModiLoader
54f5267dea7dfa571027e7ec1f9e8518231c8a9baff0cf49e098ecbaf86e051a
ModiLoader
6362e9238ae682805b33d2503122e845994d69e1eb51f981cde99b04572cc85c
ModiLoader
893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
ModiLoader
a94dc2ec5ba36249dcf25e76a013cad2ff628acc349e5478705c0cb92bc6050d
ModiLoader
d7d47b0b0aa55363efdf394d4c3ad4dc6e175edb80e22ae6e7b37cf3bc1d32d1
ModiLoader
f89bdf26235faffcde237bebb15da55250f780d07a87a4304651a2e6b7e7e45a
ModiLoader
+ 107 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer rat trojan
Link:
https://tria.ge/reports/230916-npe1zach94/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
freshwarsmi.ddns.net:5200
Unpacked files
SH256 hash:
920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2
MD5 hash:
b045db7fd000286470fcfc5b555be769
SHA1 hash:
2ac147f668d8d46a980272c7758782fb03cc4e14
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/ff6946ec-988c-4031-8c18-c091ec4f985a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/920c77fdc169/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe 920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/449025/

Comments