MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11
SHA3-384 hash:	77e353d30e8570ad1008ab6e21f832b2d636899cd2475460620472429eccc60bb82a9c6ae506470989e58afd3609f74e
SHA1 hash:	be14dae2c9ecc2227269053fa0829d57cc6052b4
MD5 hash:	66b8754b442f4b670f96017505518a72
humanhash:	seventeen-fanta-quebec-oscar
File name:	file.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	701'952 bytes
First seen:	2023-05-09 00:08:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6210235ce620fa87d50b3ebe333e8734 (1 x ModiLoader)
ssdeep	12288:lnGZwDJEET9iY7ED3FxwMueDDn/gUZDArfzaEGcNmd:lnWZExiY4FN/TU7znc
Threatray	154 similar samples on MalwareBazaar
TLSH	T17FE49D1AB1E0D572F02A19B95C4BC3945C5DBD682E381457BAFF3CC8DA7B68678202C7
TrID	68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13097/50/3) 0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	74f0f4d2d4e4d0dc (2 x ModiLoader, 1 x AveMariaRAT)
Reporter	Chainskilabs
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

230

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2023-05-09 00:10:43 UTC

Tags:

dbatloader

Link:

https://app.any.run/tasks/2b30ae7b-6dd7-4712-929c-885b5c1ad57a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/387617/

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Sending an HTTP GET request

Behavior that indicates a threat

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/83119/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit formbook greyware keylogger

Link:

https://www.filescan.io/uploads/64598f1e03238d4c41f20b1e/reports/d30c418b-fc17-45cc-9ee8-76467040d043/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc21f21f-2914-4f33-9083-f0d9261af3ab

Result

Threat name:

DBatLoader, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1228758

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11/

Threat name:

Win32.Trojan.RemcosRAT

Status:

Malicious

First seen:

2023-04-18 13:45:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 37 (78.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wqk2ltenbqojmdt3yfv4xe2rsq5szgmpsqyldikclnyvovgmdyiq._file

Verdict:

malicious

ModiLoader

0f3cf7eb4a39448632d857ca47ffd0546614f5065512ff1f0b937b4637d78c15

ModiLoader

2050a2f16f735a22589fa28453489733dfa907f5f9b05ce0510b89bcafae0ba4

ModiLoader

3c1ebdf7ddc8c5332ff02def398851eecee1329326f851e9adc135a6a25e4e98

ModiLoader

558da56234404dd337be2a22e2493aa6c140b7688e58a17236dc95da0e5162eb

ModiLoader

9d32dcd66ddeff3c376b08f6c76d28a3b577eebc2f0d8b9ba1781109ec3d6c62

ModiLoader

b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0

ModiLoader

c6dd25dcabf4bcb343f25f084c237b432d2f1aef3600129f6f784cd2969645e6

ModiLoader

f9803322b5a1423f9d3ec2381ceccd1911ff49dba85c0cb25437d653c5658d44

ModiLoader

fc258ff7ef8632a4cc29132b406ea66c43c0dc7fbf9f7ce9b0ab016b8fd0da3a

ModiLoader

+ 144 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:modiloader family:vidar botnet:bbee3401930f10e95914ad2b6f71c79d stealer trojan

Link:

https://tria.ge/reports/230509-affn9add96/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

ModiLoader Second Stage

ModiLoader, DBatLoader

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199497218285
https://t.me/tg_duckworld

Unpacked files

SH256 hash:

095b979675b30e6d3e8e40218dc6113653e492af513fdce45a77e89cfed7cb9b

MD5 hash:

7639fd3b14f5dd69b3a7ed3811eed185

SHA1 hash:

ac257543642e01030013aa5c8335aee8a9c67aec

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/ce142697-ec17-4d0d-8f37-ab8e486d5310/

Parent samples :

7cefa86b7d549456294279b027e5226e771a760fb551b5ee869feaac28f85f8a
c885f1740970c383d1624b7f64dfb335fc7c0324bfa45deb96577e0d25bff7ae
552685bd9d5668183267fa60f76af8584611e11d439085d660ae54147ca5f355
55b7f1bd4c56855427d9f9cec42bc93f75995193f023f4242b7f6e958868f619
b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

SH256 hash:

b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

MD5 hash:

66b8754b442f4b670f96017505518a72

SHA1 hash:

be14dae2c9ecc2227269053fa0829d57cc6052b4

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/ce142697-ec17-4d0d-8f37-ab8e486d5310/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b415a5cc8d0c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b415a5cc8d0c1c960e7bc16bcb9351943b2c998f9430b1a1425b715754cc1e11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen