MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da
SHA3-384 hash: 0a26595fa29497250665dee7da2d7bee9c4d81617ea5947006eea4ee7f7728a2d7a7c697946e20b3794aeb55416123f3
SHA1 hash: 6ca84e053936508354a7805f36b1fd7e25f6970e
MD5 hash: 268ad9d551b4173c3bfd39eef6ad76b9
humanhash: diet-failed-jig-mirror
File name:PAYMENT ADICE565 OUTBOUND.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:971'488 bytes
First seen:2023-07-10 09:37:48 UTC
Last seen:2023-07-10 10:09:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8466179c03d61f9be09e96306c739027 (2 x ModiLoader, 2 x RemcosRAT)
ssdeep 12288:5DQy2c+bp9/95hiFFCt2AvQBPNIkry/wNQZqLfLYUj2Msx2AWwoo+5dHg:5cnbp9mIzvQBa1/wNQULfLYUyVxHjohM
Threatray 114 similar samples on MalwareBazaar
TLSH T18425BF73B7914437D2221B39DD5BA3C2593DBD312E28A9466BE01E4C7E70E83B426787
TrID 55.6% (.OCX) Windows ActiveX control (116521/4/18)
20.5% (.EXE) InstallShield setup (43053/19/16)
6.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.2% (.SCR) Windows screen saver (13097/50/3)
4.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon e3e1e3f1d9c9dbe2 (11 x AveMariaRAT, 9 x ModiLoader, 2 x Neurevt)
Reporter adrian__luca
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT ADICE565 OUTBOUND.exe
Verdict:
Malicious activity
Analysis date:
2023-07-10 11:14:13 UTC
Tags:
installer
Link:
https://app.any.run/tasks/b80cf591-a72f-4798-b95f-eb770a7029a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/413469/
Detection(s):
SecuriteInfo.com.Variant.Zusy.470739.9703.7632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96857/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade overlay packed replace
Link:
https://www.filescan.io/uploads/64abd1999bd9f933fbb93a83/reports/d91834ba-2ff1-4fe3-a063-cde8f0ae2144/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06db051c-a421-4228-8d83-7060e1f51378
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269599
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Found malware configuration
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 00:47:39 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucgncefjfarh3vftwqvrqan4dsih3uccx2uesswhaekcyxvtixna._file
Verdict:
malicious
Similar samples:
0c068a04f71f9fb987981519ad4fa540d88babba65a76c10e3640cf0d39e49f2
ModiLoader
1f83219e709b7a876c79306a5e0a7f1773a44e537b4223d74f2e4d2d2d805f11
ModiLoader
237803281430a3e53b0f8f3ac3504dd95fbc9cf4f9cd7d803db0227a0c849388
ModiLoader
552685bd9d5668183267fa60f76af8584611e11d439085d660ae54147ca5f355
ModiLoader
6894716ecdc2dc8c9df8522345f04945c0d90df9c2b5426c72fb4eee7d809c79
ModiLoader
a2231cdfce2e5ec3adcdb8535b1663da96d390e65c0f0c83c385a96d97790f0e
ModiLoader
a32dc1a41c102124b6d7d7c1ac5790870a6a49d8f2133008797132ac2ac82498
ModiLoader
a67b8abcd5494b8616dbc6cc982d9aecdf0fb33c4183686f762d2242e6428efc
ModiLoader
e6b6b597f8f07b529a9bf027c549b0b9476fdbf8d01e089faa97972e17908dd4
ModiLoader
+ 104 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/230710-ll45ksae7x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Script User-Agent
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Drops file in System32 directory
Adds Run key to start application
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
donelpacino.ddns.net:4545
Unpacked files
SH256 hash:
3bbb1fddefca24e749c53406c71bb4e26f285c85d45083500e9c553c60239d56
MD5 hash:
103db6d86a729254c3a3bbef7c340f61
SHA1 hash:
b379ad1f4fbe5d83ad7f1e13b48d3087813d5e15
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/eaafcfd3-767b-4e1f-99bb-4a80b7377f68/
Parent samples :
74f3991c2f65f8bfa4e39a908f8d4d73d8b502fed1d9910a9ed66773c0674c99
a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da
90399d618bfbcf4d3adf3abebad223be29ef4a310b486d7f7e5b8bc3b2a00416
4038439ae519453da6ef2075154a367f29889fd0d085b588f02f2e20feaf25ab
SH256 hash:
a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da
MD5 hash:
268ad9d551b4173c3bfd39eef6ad76b9
SHA1 hash:
6ca84e053936508354a7805f36b1fd7e25f6970e
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/eaafcfd3-767b-4e1f-99bb-4a80b7377f68/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a08cd110a928/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe a08cd110a928227dd4b3b42b1801bc1c907dd042bea8494ac701142c5eb345da

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/413469/

Comments