MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5
SHA3-384 hash:	78cb02c20d00ba5b4ebef96218ced357354a5488a5fdec524bc922d77d11159bb03cd39de9275d71f08ed7241fbf3126
SHA1 hash:	637b88ba20e710e36c6a23def3d5879b5b7e4d37
MD5 hash:	4668daa891ff2bb694200e43216b767e
humanhash:	pluto-virginia-happy-carolina
File name:	Siparis onayi eklendi.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	1'009'152 bytes
First seen:	2022-10-14 06:16:04 UTC
Last seen:	2022-10-14 07:20:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6241fa345109f9f0191abedbde30ab68 (3 x ModiLoader)
ssdeep	24576:jCWrt7oMiW2aoRQk4W0DHjsQAcJtVSn52:jCFR3LclSn52
TLSH	T13B258E12F1D1C836D56305B88D2B93546CDAFD112928B98A3EE13A4DDE37F923A35273
TrID	26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 24.5% (.SCR) Windows screen saver (13101/52/3) 19.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	11171f160755552b (3 x ModiLoader, 1 x BitRAT)
Reporter	abuse_ch
Tags:	exe geo ModiLoader TUR

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/320271/

Detection(s):

SecuriteInfo.com.Variant.Zusy.439896.16778.25146.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Searching for the window

Launching cmd.exe command interpreter

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/43071/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6348fede67135c9da246f18b/reports/04e8f2ab-32a6-4668-be6a-83310bd7de75/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3907b594-0329-4a4e-90c0-fda201baeab7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1090503

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5/

Threat name:

Win32.Backdoor.NetWiredRc

Status:

Malicious

First seen:

2022-10-14 06:17:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 42 (40.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4fy5k45u5lla6qlihubwan3p35jrvdkywyhp5a4jybjjcqd6md2q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:modiloader family:xloader campaign:uj3c loader persistence rat trojan

Link:

https://tria.ge/reports/221014-g1g65sbdb4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Adds Run key to start application

ModiLoader Second Stage

Xloader payload

ModiLoader, DBatLoader

Xloader

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/288bbad1-e927-4fbd-8c47-8406fb487748

Unpacked files

SH256 hash:

e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5

MD5 hash:

4668daa891ff2bb694200e43216b767e

SHA1 hash:

637b88ba20e710e36c6a23def3d5879b5b7e4d37

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/15b9ed44-0c10-43de-b46d-e014b37a6699/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

exe e171d573b4ead60f41683d0360376fdf531a8d58b60efe8389c05291407e60f5

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/320271/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample