MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6
SHA3-384 hash: 604d17c8f0c8b7b62039caaf3b6f07591008e29fc5fb3b036039f9fe9a64ee46864a3b0cb47ae811a7f63d8ef60e9871
SHA1 hash: 74ac80e2ef80ef4142b87e9966c7467270d95bc6
MD5 hash: c532d96ddc45a2191d48dd6ea20e1afc
humanhash: spring-friend-white-music
File name:SecuriteInfo.com.Win32.InjectorX-gen.18903.24176
Download: download sample
Signature ModiLoader
Create hunting rule
File size:787'968 bytes
First seen:2022-10-25 09:23:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b0a8acc88a118a43eebdb148f9f94ce (2 x ModiLoader, 2 x NetWire)
ssdeep 12288:hCUL5e5qQvVHmVo+R0OXL4r70eYt8JyynITtsUXnvxwUxLfHazzJrN:s45INvVGVoU0OXLPxMyyIuUPB
Threatray 803 similar samples on MalwareBazaar
TLSH T1F5F49E27BFD15D37F117197ACCABD369A8297E207E18D4862AEC1D895F3F9423428093
TrID 23.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
21.6% (.SCR) Windows screen saver (13101/52/3)
17.4% (.EXE) Win64 Executable (generic) (10523/12/4)
16.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 34f4c6c4d4d4d4d4 (3 x ModiLoader, 2 x NetWire)
Reporter SecuriteInfoCom
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice #0049334.img
Verdict:
Malicious activity
Analysis date:
2022-10-25 07:49:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/666e2818-4748-4f36-ab02-1109622209a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323885/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.18903.24176.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/45331/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5194b8af-0c7c-4354-8cd0-f3012b774846
Result
Threat name:
BitRAT, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1097392
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 730045 Sample: SecuriteInfo.com.Win32.Inje... Startdate: 25/10/2022 Architecture: WINDOWS Score: 100 24 davidmanne.casacam.net 2->24 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 7 SecuriteInfo.com.Win32.InjectorX-gen.18903.24176.exe 1 18 2->7         started        12 Prdtjvjj.exe 15 2->12         started        signatures3 process4 dnsIp5 26 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49697, 49699 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->26 28 yjxtha.sn.files.1drv.com 7->28 34 2 other IPs or domains 7->34 20 C:\Users\Public\Libraries\Prdtjvjj.exe, PE32 7->20 dropped 22 C:\Users\...\Prdtjvjj.exe:Zone.Identifier, ASCII 7->22 dropped 50 Writes to foreign memory regions 7->50 52 Allocates memory in foreign processes 7->52 54 Creates a thread in another existing process (thread injection) 7->54 56 Injects a PE file into a foreign processes 7->56 14 colorcpl.exe 3 2 7->14         started        30 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49700, 49702 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->30 32 yjxtha.sn.files.1drv.com 12->32 36 2 other IPs or domains 12->36 58 Multi AV Scanner detection for dropped file 12->58 60 Machine Learning detection for dropped file 12->60 18 colorcpl.exe 12->18         started        file6 signatures7 process8 dnsIp9 38 davidmanne.casacam.net 20.12.20.153, 2223, 49704, 49705 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->38 40 192.168.2.1 unknown unknown 14->40 62 Hides threads from debuggers 14->62 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 07:45:16 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4cnhm6wquafn4ydu3tcdwzabaidcednxscdmhp42omym4g3ahtda._file
Verdict:
malicious
Similar samples:
51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
ModiLoader
51cf8bad7a9dfffdab43a17761c29b9d1bd1004675a4e9fa6965e5430a6e371b
ModiLoader
67c445ff181fcaa6b46a1d1af78a9df1ac413593f29561e4fa43059c7ed85ace
ModiLoader
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
ModiLoader
ded8e87375feb200ce4b5d054d0ae8d3db28588a66071e2ef68dc3eb9fc9b084
ModiLoader
eac2512bff3db9994fa6e61b9ce95ea395e87009200fc18b017e2101e529541b
ModiLoader
+ 793 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:modiloader persistence trojan upx
Link:
https://tria.ge/reports/221025-lc2m4acbe3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
UPX packed file
ModiLoader Second Stage
BitRAT
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
davidmanne.casacam.net:2223
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cfefb8b6-83df-42bb-a41b-d3771fb08466
Unpacked files
SH256 hash:
acc3c54c288b266b3b00991c56478ed664f87a2e9f468a45d79598f3d64ff090
MD5 hash:
02ba7295f06aa21f663737992ccd936a
SHA1 hash:
f961dd0202403297ee21706621d9eb12008a0aae
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/52b822a1-f6a0-4435-bd95-9c524c2ebbb9/
Parent samples :
a560f203c2e625c24ca5d86ab7b4fe90b6eebc96b6666eeab6231c6a55cca5db
ded8e87375feb200ce4b5d054d0ae8d3db28588a66071e2ef68dc3eb9fc9b084
6894716ecdc2dc8c9df8522345f04945c0d90df9c2b5426c72fb4eee7d809c79
f9ab7834504060f9878b94cc16de22ed004796b09a78ae8ad1e31e2eb7114162
e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6
2094d30dea8b0156041fd371f3c82d0ebbf39ed98ee34613958e6e28ddcbc424
8ea72282f7dfbac5825559640cded147ed27ed8f67063dd3ecddc539d6072a69
dcac7c0a08250b164343c102ef9d863a49c44343c6ce3e0cd1197cb7e3198937
974a92131810231c385981b681b315574a91a64ce6fba594e060c8645ae9d74e
6e9fc38aae3c403eb2a1664292b2bacc85721410b2568cfa36a1d00fc9b4d05c
SH256 hash:
e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6
MD5 hash:
c532d96ddc45a2191d48dd6ea20e1afc
SHA1 hash:
74ac80e2ef80ef4142b87e9966c7467270d95bc6
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/52b822a1-f6a0-4435-bd95-9c524c2ebbb9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e09a767ad0a00ade6074dcc43b64010206220db79086c3bf9a7330ce1b603cc6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323885/

Comments