MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869
SHA3-384 hash: 46e31c6045c45e24e3ffa644400b9fa1713c86f5117b66cff4a7fedacceafabdcc19536e562efe64c111c366161949ea
SHA1 hash: 95a890a129aaec45060a626de8b1d5c14e8f80e2
MD5 hash: 041d3a67322604929beb2b73561993bf
humanhash: cat-purple-oven-delaware
File name:HSBC Advice,pdf.bat
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'027'072 bytes
First seen:2023-08-07 13:24:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f124c2769d9b6924a548d49dbb0637ae (2 x ModiLoader)
ssdeep 12288:ahC5PdEN+Ff8tsq8BFhMw3iiKu0OnPbWfLFhLOrBZYiGJNraCknCPRe7Fly:hTLFf8tsq8HhMw3AuhnPbC6ZYimadE
Threatray 3'472 similar samples on MalwareBazaar
TLSH T1E725C026E6555572C42363789D4F6B988F2AFD306938B49136F8A9DC4EFB3803C6B113
TrID 50.1% (.EXE) InstallShield setup (43053/19/16)
15.2% (.SCR) Windows screen saver (13097/50/3)
12.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 62c1c8d48eaada1a (2 x ModiLoader)
Reporter abuse_ch
Tags:bat exe HSBC ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC Advice,pdf.bat
Verdict:
Malicious activity
Analysis date:
2023-08-07 13:38:21 UTC
Tags:
installer dbatloader
Link:
https://app.any.run/tasks/bb37603e-889c-4d04-8f11-c4ba7c6b25a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441100/
Detection(s):
Win.Packed.Zbot-7405046-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b0e28fb-b141-4005-977a-c2d6ea72d564
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287141
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1287141 Sample: HSBC_Advice,pdf.bat.exe Startdate: 07/08/2023 Architecture: WINDOWS Score: 100 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for dropped file 2->98 100 5 other signatures 2->100 11 HSBC_Advice,pdf.bat.exe 1 7 2->11         started        process3 dnsIp4 82 salesgulfafricatreding.com 141.98.10.71, 443, 49705, 49706 HOSTBALTICLT Lithuania 11->82 58 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->58 dropped 60 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->60 dropped 62 C:\Users\Public\Libraries\Wemifojl.PIF, PE32 11->62 dropped 130 Early bird code injection technique detected 11->130 132 Drops PE files with a suspicious file extension 11->132 134 Writes to foreign memory regions 11->134 136 3 other signatures 11->136 16 SndVol.exe 11->16         started        19 cmd.exe 3 11->19         started        file5 signatures6 process7 signatures8 84 Maps a DLL or memory area into another process 16->84 21 Wemifojl.PIF 16->21         started        86 Early bird code injection technique detected 19->86 88 Uses ping.exe to sleep 19->88 90 Drops executables to the windows directory (C:\Windows) and starts them 19->90 92 Uses ping.exe to check the status of other devices and networks 19->92 25 easinvoker.exe 19->25         started        27 PING.EXE 1 19->27         started        29 xcopy.exe 2 19->29         started        32 6 other processes 19->32 process9 dnsIp10 68 salesgulfafricatreding.com 21->68 108 Multi AV Scanner detection for dropped file 21->108 110 Early bird code injection technique detected 21->110 112 Writes to foreign memory regions 21->112 114 2 other signatures 21->114 34 colorcpl.exe 21->34         started        37 cmd.exe 1 25->37         started        70 127.0.0.1 unknown unknown 27->70 72 192.168.2.1 unknown unknown 27->72 64 C:\Windows \System32\easinvoker.exe, PE32+ 29->64 dropped 66 C:\Windows \System32\netutils.dll, PE32+ 32->66 dropped file11 signatures12 process13 signatures14 102 Maps a DLL or memory area into another process 34->102 39 Wemifojl.PIF 34->39         started        104 Suspicious powershell command line found 37->104 106 Adds a directory exclusion to Windows Defender 37->106 43 powershell.exe 19 37->43         started        45 conhost.exe 37->45         started        process15 dnsIp16 80 salesgulfafricatreding.com 39->80 120 Early bird code injection technique detected 39->120 122 Writes to foreign memory regions 39->122 124 Allocates memory in foreign processes 39->124 126 Injects a PE file into a foreign processes 39->126 47 raserver.exe 39->47         started        50 SndVol.exe 39->50         started        128 DLL side loading technique detected 43->128 52 conhost.exe 43->52         started        signatures17 process18 signatures19 138 Tries to steal Mail credentials (via file / registry access) 47->138 140 Tries to harvest and steal browser information (history, passwords, etc) 47->140 142 Modifies the context of a thread in another process (thread injection) 47->142 144 2 other signatures 47->144 54 explorer.exe 47->54 injected process20 dnsIp21 74 www.spirdrain.xyz 66.29.149.46, 49741, 49742, 49743 ADVANTAGECOMUS United States 54->74 76 zhs.zohosites.com 136.143.186.12, 49709, 49710, 49711 ZOHO-ASUS United States 54->76 78 15 other IPs or domains 54->78 116 System process connects to network (likely due to code injection or exploit) 54->116 118 Performs DNS queries to domains with low reputation 54->118 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 08:25:02 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ak4bbijhm22zf34ebvw5kj552axyaxje3ote5uhcoz2npd5dbuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0cc4308eaf906783b45db5c75d2bf7e5a0b74d9d531dcce595604c1f436d4fb4
ModiLoader
136179ab4468cf49d8a048a24716546d4f3380c7f823320bd46e8f4510fb2380
ModiLoader
1bf9eea6de3a59ee58e13e33175ffdd66c6ba4a187b4df949593853c43784afe
ModiLoader
216237da181e0a4fe72486534f4fb7694641a34508dce78b3d36acbd53bd9dba
ModiLoader
8904fe72b770215a4e3bc82f6e1fda9756a147fb86bdac2fec7ebac577866764
ModiLoader
9c4729e8b07e00f05876ed556d5c27a993a60979374b7fdafe69c0aca66a7281
ModiLoader
ee89d22c597178daeea41330edb19ab7e0a2b0197d1d640440966cde25eeb7ed
ModiLoader
eeef9f8539d9b599419583ef85788fbfe021e088a53ec61b11b4b47a807a9931
ModiLoader
+ 3'462 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230807-qnysssfe23/
Behaviour
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
c9dd678e6788132b1d0853f9de7406ee75271d2919bc33595bfc57bb6f9072bf
MD5 hash:
826195fb2a479ce2f80f52b2c1f4075b
SHA1 hash:
9271eb2984e03f4efbd28e3b09b1df3df004a216
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/4f378f37-2a73-4c2a-86c7-e1fc122ab096/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/4f378f37-2a73-4c2a-86c7-e1fc122ab096/
SH256 hash:
4fc587e9fd01541f6849a2f775ad4c83c2877172e59022e356cc87ba45836d59
MD5 hash:
15e02b49c9c74678ef88302fad4f42ce
SHA1 hash:
43d39cedffa2f98a75df02a4eee0884f04ad87b3
Link:
https://www.unpac.me/results/4f378f37-2a73-4c2a-86c7-e1fc122ab096/
SH256 hash:
d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869
MD5 hash:
041d3a67322604929beb2b73561993bf
SHA1 hash:
95a890a129aaec45060a626de8b1d5c14e8f80e2
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/4f378f37-2a73-4c2a-86c7-e1fc122ab096/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d815c085093b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:MALWARE_Win_ModiLoader
Create hunting rule
Author:ditekSHen
Description:Detects ModiLoader
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:without_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any url
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe d815c085093b35ac977c206b6ea93dee817c02e926dd32768713b3a6bc7d1869

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441100/

Comments