MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
SHA3-384 hash:	2e02e9b2205febf48229684166b5437a23d61ec25a2408e8b1e8cedc8407594a01b90cdd06e2ec011ae018c9ce5f1d17
SHA1 hash:	80ef38196e6f22e44abde1b9c06d5b49f268bb38
MD5 hash:	3d4abe00ce392ccb409a8c5651ac9633
humanhash:	alanine-alabama-sink-ink
File name:	ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'031'168 bytes
First seen:	2022-09-08 10:28:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4ece17b2e649d5a5008f1aa7cdee9f6f (4 x RemcosRAT, 1 x Formbook, 1 x ModiLoader)
ssdeep	12288:fMrKprISPxdtyWrV3vneDB5JkTEp9ybqTiQJ5KT7grzwGjReiOXRDJymf7fvO:fMmljztfw+woiiqPheiOXRDDvO
Threatray	88 similar samples on MalwareBazaar
TLSH	T13E259FE1B2D2C63BD017167DCD2BA3699C69BE402924644E27F6290CDE79383383F55B
TrID	68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13101/52/3) 0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter	adrian__luca
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9

Verdict:

Suspicious activity

Analysis date:

2022-09-08 10:28:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f4cb0b5f-1642-4e82-bc31-bd8d49ec354d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308738/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.39208.15296.20834.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/37060/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger remcos shell32.dll

Link:

https://www.filescan.io/uploads/6319c4681d4a849311e13b45/reports/f14f9961-6a37-4888-af5e-5d881c0ccdfe/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/76f5c7a6-ae4a-4e10-8f83-7973d84676c5

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.expl

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1067029

Signature

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected UAC Bypass using ComputerDefaults

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-08-29 14:45:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vuwd52bclp75gbjlw7lxx2hhhmkhggtf2qqkbc5mrtls7f4tac4q._file

Verdict:

malicious

ModiLoader

1dddbd9bb1c2ed3b0ac846f3dcfbfd99909394f17a813be425b1870ef0f52c5e

ModiLoader

35cf771ddfdab8d8f18d4ee2b4841602be4bc77f9d952ecd5f9e870160cfe8f8

ModiLoader

5fabffc9eb6177ac29a1e51bf2a8bde55ddd97e2f7c86134eb2512b927f1232e

ModiLoader

663b7bc66499e507ca1f8fad6e42195a54fe242db3cc71bf4762952fe04ce5ee

ModiLoader

868e3a9f49c41cd1823e765cc8d2e97453ada6baac959e58187e1a337db01b96

ModiLoader

88502779764c4ceacff4b4a39a389bf13389b734f99e76160c865a2da6d21bee

ModiLoader

92dfb3c31bc3fd90f36666807e165fccd6595a9db35ff6bdcc60423ca7d77112

ModiLoader

aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe

ModiLoader

e233d86e74d3846be66e323c4850b495c66658ca63cd28ec1a47a3b0c95f7559

ModiLoader

+ 78 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/220908-mh8h9sech3/

Behaviour

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

d5258f99211ece384cf3fc0647b75c86afbea93875e7723c2600d35ddf1131a7

MD5 hash:

014c7a7439bd291ad8479b70999c313c

SHA1 hash:

28d44fb55d2c6b039aafaf4d24b37691c8a4a69c

Link:

https://www.unpac.me/results/529cc613-373a-4cdf-b180-71e5fde05231/

SH256 hash:

53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1

MD5 hash:

38a86eff48873c72ca4d72f191a56f63

SHA1 hash:

25e96f601aa827d3b1ab70b0fdc67d0c15023b73

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/529cc613-373a-4cdf-b180-71e5fde05231/

Parent samples :

e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578

SH256 hash:

ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9

MD5 hash:

3d4abe00ce392ccb409a8c5651ac9633

SHA1 hash:

80ef38196e6f22e44abde1b9c06d5b49f268bb38

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/529cc613-373a-4cdf-b180-71e5fde05231/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308738/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample