MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
SHA3-384 hash: dfd6817481dbc46b5547d288e555f5e2b01f9925fb92231717276392bf7aa854d50ef43d8c48572d5f84b6895fea945f
SHA1 hash: 88ec187133d7e63abf95bfd47005f16448be2fb7
MD5 hash: 8c1e52ac9553fab121ee950749fe1d31
humanhash: august-hotel-white-eighteen
File name:8c1e52ac9553fab121ee950749fe1d31
Download: download sample
Signature ModiLoader
Create hunting rule
File size:808'448 bytes
First seen:2023-07-20 12:09:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash da21ccc93f3893853ed8366aca50ca61 (3 x Formbook, 1 x RemcosRAT, 1 x ModiLoader)
ssdeep 24576:rk/A25GoqxIJs7ks3XJrPz6cDCnvMhqv9:rKAKGj7ks35rPmaCnvMsv9
Threatray 1'470 similar samples on MalwareBazaar
TLSH T128059E21F2B285B3E2627E748C2657A554797F602538140A6AD73DDCFFBB3926C281C3
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 80ace0c4e4d09000 (5 x Formbook, 4 x ModiLoader, 3 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c1e52ac9553fab121ee950749fe1d31
Verdict:
Malicious activity
Analysis date:
2023-07-20 12:10:34 UTC
Tags:
dbatloader opendir darkcloud
Link:
https://app.any.run/tasks/e097bce2-ae4d-43a0-a337-2220a9e890b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/426012/
Detection(s):
SecuriteInfo.com.Heur.20230720143030221349905.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/64b9241afd9e198dc11672d7/reports/0d2461dc-1e44-49ea-9ba3-4b3f5657d842/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00bee0fa-a7c8-41e4-9a01-0c0015df9b49
Result
Threat name:
DBatLoader, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276742
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected DBatLoader
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276742 Sample: lppob0Xe3W.exe Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 6 other signatures 2->75 11 lppob0Xe3W.exe 1 7 2->11         started        process3 dnsIp4 57 red-service.net 2.59.255.67, 49697, 80 CMCSUS Germany 11->57 49 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->49 dropped 51 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->51 dropped 53 C:\Users\Public\Libraries\Dllxcxep.PIF, PE32 11->53 dropped 79 Drops PE files with a suspicious file extension 11->79 81 Writes to foreign memory regions 11->81 16 cmd.exe 3 11->16         started        19 logagent.exe 11->19         started        file5 signatures6 process7 signatures8 59 Uses ping.exe to sleep 16->59 61 Drops executables to the windows directory (C:\Windows) and starts them 16->61 63 Uses ping.exe to check the status of other devices and networks 16->63 21 easinvoker.exe 16->21         started        23 PING.EXE 1 16->23         started        26 xcopy.exe 2 16->26         started        31 6 other processes 16->31 29 WerFault.exe 19->29         started        process9 dnsIp10 33 cmd.exe 1 21->33         started        55 127.0.0.1 unknown unknown 23->55 45 C:\Windows \System32\easinvoker.exe, PE32+ 26->45 dropped 47 C:\Windows \System32\netutils.dll, PE32+ 31->47 dropped file11 process12 signatures13 65 Suspicious powershell command line found 33->65 67 Adds a directory exclusion to Windows Defender 33->67 36 powershell.exe 23 33->36         started        39 conhost.exe 33->39         started        process14 signatures15 77 DLL side loading technique detected 36->77 41 conhost.exe 36->41         started        process16 process17 43 conhost.exe 41->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 08:13:02 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5627e2agijjwme6fs4lgl5vjt73ujuro2csbvogdegltoqvubmq._file
Verdict:
malicious
Similar samples:
0b212fe0dd1772af4629465b73343d7734a70b96cf71f6771ac314e3b0342894
ModiLoader
1cd346c54de5119303b2387f3341e8d20920d3e3c5ad8ace7f095457d71a12ce
ModiLoader
1dac278c05c70bc6df9e9eff71a38932549c61f51e1fed6239420a3c542c0476
ModiLoader
319eebfe268b98849276901a885c1764cd0d964691fbe0d58689ef2a62f051c9
ModiLoader
37082f0b757d6c249b870c29872a9bf8e38e344150735d9b6d2a64364b18b226
ModiLoader
b343cef21a2f4b728fcac972022ec6e7ff3e7d41539be9c2dc2235320ef9088b
ModiLoader
d374dd13f6d66d64c976cf30150acc77379b7ac6d5759294d15cffd1c887cda1
ModiLoader
+ 1'460 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230720-pb1wysgd93/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Suspicious use of NtCreateProcessOtherParentProcess
Unpacked files
SH256 hash:
37cf6c9b34752dbe6a758f876ad58d196993df6a98cf7a873e484897280700f6
MD5 hash:
3889cdfac954d07278eae955d5e13b27
SHA1 hash:
33a2bdea8e076738d219541736615a2a2177c922
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/459b0ff1-76f4-43a3-a0e2-d0a0d0b4acbc/
Parent samples :
009bdad48405a11c887a397ea42fc93fc730ec39e63e5c61f3f8df31ff34c1f1
b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
1dd8111ab9a5ff0da09762bb7f51bb0cd275ce9158bb195229bfff8af26f00c4
SH256 hash:
b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
MD5 hash:
8c1e52ac9553fab121ee950749fe1d31
SHA1 hash:
88ec187133d7e63abf95bfd47005f16448be2fb7
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/459b0ff1-76f4-43a3-a0e2-d0a0d0b4acbc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b77daf934032/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/426012/
  
URLhaus
https://urlhaus.abuse.ch/url/2686390/

Comments


Avatar
zbet commented on 2023-07-20 12:09:55 UTC

url : hxxp://red-service.net/docexpltt/saqoap.exe