MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dca7a22ab693c8d59845bce5de96d728d328b30174c9109e212f88447591f977. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dca7a22ab693c8d59845bce5de96d728d328b30174c9109e212f88447591f977
SHA3-384 hash: 2eb11df2384700f4d99d618baf32562f34b6fbfe4231baebacde61535f7dc2b6ab08fac59fec6670bbd6230025cda638
SHA1 hash: e713b2fff7ce1e0960fb47fd96810092167031b8
MD5 hash: 8a9f93afb3b3eac7099415b03ce74f70
humanhash: snake-diet-lion-oscar
File name:8a9f93afb3b3eac7099415b03ce74f70.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:771'264 bytes
First seen:2020-12-15 07:57:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c3d6710a07e2881790555234ea14179a (8 x ModiLoader, 1 x Formbook, 1 x ISRStealer)
ssdeep 12288:/4Per7j2cD2/gERzL6XeF03yKnkn3Hp2EAIFOuYNmT:/VKc63GkSnioEvOBo
Threatray 12 similar samples on MalwareBazaar
TLSH 91F49F53F2904437D1671A799C1F97A89C2ABF103E249D8A6BF93D0C4F3A391782A1D7
Reporter abuse_ch
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8a9f93afb3b3eac7099415b03ce74f70.exe
Verdict:
No threats detected
Analysis date:
2020-12-15 07:58:19 UTC
Tags:
installer
Link:
https://app.any.run/tasks/55662afc-b787-414a-ae3b-e9d80782d786

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108099/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Strictor.253009.11269.9482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/563076
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dca7a22ab693c8d59845bce5de96d728d328b30174c9109e212f88447591f977/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 07:58:10 UTC
AV detection:
25 of 46 (54.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3st2ekvwspenlgcfxts55fwxfdjsrmyboterbhrbf6eei5mr7f3q._file
Verdict:
malicious
Similar samples:
35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e
ModiLoader
556eb256ac26f32787bf8d8b54980b1ba50b93b3736683e59b26398a1f42820f
ModiLoader
5c755513f6bb355adb6e71b9970361b71191b987dbfa53a1fa4b79651b75fe15
ModiLoader
88b677a3b0b552141610da3b5b9a73f40e705a16cec821c73ea01a55fbf8202f
ModiLoader
8ede03b20c5b4ef52e213ef63d0470ed9a71caa0435a0a4bb4a6b95903cfdd76
ModiLoader
b4711ee19363ec125911ae1356714720a9d9b463848b1044d08d56977cb960db
ModiLoader
b650350fb7bdd840c9cc16502e902983d7fb5faf00ed6f60ef8439a6ccd4e33c
ModiLoader
f13d529ca2630de2bbd314359f7ac92d83acb76ff80dc169990634c1ad929b0b
ModiLoader
f8256bf4c71a315eb73feee981a5f9220dfb7196476d180b5375eb40bfbfc5b0
ModiLoader
ff30b5d93f9eb3ec64ac203f9caafd54dd31677549a3aa484eb71db513fe8040
ModiLoader
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201215-mqkq9qlm2j/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
4a0af77548a8ab6fe0aad2c9c4dc7476c55d7949f4b407f41ec5a2dc0e130a24
MD5 hash:
2408add4b00a1d53492028b625d21d75
SHA1 hash:
7c31221db0d7e4d04515e7c71334f1cc0f0c39a5
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/660e1cff-8423-4e7f-8eb1-f1febe7b7154/
SH256 hash:
dca7a22ab693c8d59845bce5de96d728d328b30174c9109e212f88447591f977
MD5 hash:
8a9f93afb3b3eac7099415b03ce74f70
SHA1 hash:
e713b2fff7ce1e0960fb47fd96810092167031b8
Link:
https://www.unpac.me/results/660e1cff-8423-4e7f-8eb1-f1febe7b7154/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dca7a22ab693c8d59845bce5de96d728d328b30174c9109e212f88447591f977

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ModiLoader

Executable exe dca7a22ab693c8d59845bce5de96d728d328b30174c9109e212f88447591f977

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/898216/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108099/

Comments