MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b
SHA3-384 hash: 7061a870e0406e9fe1157c29bf56ec585f81200dda118789924f950c7a0744c29b8583979be55fc06365f021da82f57f
SHA1 hash: 301eda58ccc6b3bdbfba3bd88db3ff273d254fde
MD5 hash: be8001149838e742d3b4e8024913d6e4
humanhash: steak-magazine-eight-aspen
File name:Payment Advice - Advice Ref[A1Zs2hOOvURy] ACH credits Customer Ref[20230612NT] Second Party Ref[00017062] Second Party ID[00017062].exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'009'152 bytes
First seen:2023-10-06 18:26:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15d6445c42df82b2e1365b4e33803c24 (1 x Formbook, 1 x ModiLoader)
ssdeep 24576:LP5w2x86hvebmPEDagcDhxxxTjouoQHpOLCAVxsaJ:LP5w2x3vf8DaguLsulHpMCAHsM
Threatray 379 similar samples on MalwareBazaar
TLSH T1AD25BF17A3D08477C9832A346DDB6B746929FA602D68FD767AF41D0C8F38681BC111AF
TrID 58.4% (.OCX) Windows ActiveX control (116521/4/18)
21.5% (.EXE) InstallShield setup (43053/19/16)
7.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
6.5% (.SCR) Windows screen saver (13097/50/3)
2.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e3e1e3f1d9c9dbe2 (11 x AveMariaRAT, 9 x ModiLoader, 2 x Neurevt)
Reporter Racco42
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
395f32dc-4172-4bdf-b313-b01eac9bbd9d
Verdict:
Malicious activity
Analysis date:
2023-10-06 19:25:29 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/395f32dc-4172-4bdf-b313-b01eac9bbd9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.41399.17560.19185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade packed remcos
Link:
https://www.filescan.io/uploads/652051779b16696e9f940ba0/reports/6426b128-6994-4221-b290-51217f2ebb02/overview
Verdict:
Malicious
Labled as:
Backdoor.Remcos
Link:
https://www.hybrid-analysis.com/sample/e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01bd7b73-d260-4205-9971-6a5d67317df9
Result
Threat name:
AveMaria, DBatLoader, UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321201
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if Internet connection is working
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Drops PE files to the document folder of the user
Found malware configuration
Found stalling execution ending in API Sleep call
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1321201 Sample: 0017062].exe Startdate: 06/10/2023 Architecture: WINDOWS Score: 100 35 nightmare4666.ddns.net 2->35 37 bestsuccess.ddns.net 2->37 39 4 other IPs or domains 2->39 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 9 other signatures 2->55 9 0017062].exe 5 7 2->9         started        13 Yrsdrblk.bat 2 2->13         started        15 Yrsdrblk.bat 1 2->15         started        signatures3 process4 file5 29 C:\Users\user\Documents\dropbox.exe, PE32 9->29 dropped 31 C:\Users\Public\Libraries\Yrsdrblk.bat, PE32 9->31 dropped 57 Drops PE files to the document folder of the user 9->57 59 Contains functionality to hide user accounts 9->59 61 Contains functionality to check if Internet connection is working 9->61 69 4 other signatures 9->69 17 dropbox.exe 2 9->17         started        63 Antivirus detection for dropped file 13->63 65 Multi AV Scanner detection for dropped file 13->65 67 Machine Learning detection for dropped file 13->67 71 4 other signatures 13->71 21 cmd.exe 13->21         started        signatures6 process7 dnsIp8 33 bestsuccess.ddns.net 80.85.153.111, 3443, 49716, 49717 CHELYABINSK-SIGNAL-ASRU Russian Federation 17->33 41 Antivirus detection for dropped file 17->41 43 Multi AV Scanner detection for dropped file 17->43 45 Contains functionality to hide user accounts 17->45 47 6 other signatures 17->47 23 cmd.exe 1 17->23         started        25 conhost.exe 21->25         started        signatures9 process10 process11 27 conhost.exe 23->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 14:02:55 UTC
File Type:
PE (Exe)
Extracted files:
105
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=42qnlle6agxnuxsl5rmwbgzqcrrttdkzla6mwgwxl7yk6tekq2nq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
3180620ee9921fa4fbfbbb780478f80b4c5b58e7f2d94563ac7dbb19fe602a01
ModiLoader
39925dc9a38e74a5f56977966efc39fb124afa1bc5211fa006bbe48d836c2811
ModiLoader
3a549857526733dea4da5c4916d7c0015d8172ad8d845acc160d6b12be418b9a
ModiLoader
8a7ea6fa92042a82b6ee354c055e8579dd08bdf297aa5c0b54346405afca76be
ModiLoader
9af5260cfd754e80c6ccefcce5f6bf2bb1d1e8853b0854d54c90858521884917
ModiLoader
a5202fde9f9922792ddfb540ddf4aa409be00a762cb4b9d2b2a22d36e0713952
ModiLoader
e3578acb20ffc36bf721b7dd819047012296ad2c5e0aa5cbacee67d17b1b4558
ModiLoader
f0a7fdb30ada4af66a53c9540e8daa4c2acdda345aa8ec28aedfd02c4be6edff
ModiLoader
f26ad126464da99c98b042f79db61dc036724c9baeb90b7c14d3d70576229c2f
ModiLoader
+ 369 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/231006-w3q96ahb79/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
ModiLoader Second Stage
Warzone RAT payload
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
bestsuccess.ddns.net:3443
Unpacked files
SH256 hash:
bddf94bdd902afbe763a10cbea8bca07f9f8978ede2addba1232f780370875a4
MD5 hash:
0f1053173d73c6ab45dc766ce81debfc
SHA1 hash:
eeba174031118341853dc6b849b8427951745656
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/874e628b-165d-4d27-b8cd-76772d4ebe3f/
Parent samples :
2623649c5fb65c6ba55815531507894bde723e3f2afd37225c4bfc891b5cb982
ea70b9979a341160863f08becfdeb80c64450b37521dbbd6341cd4b88248a65d
18b15672bacee7b796cee3c6beffde75c0f7ae628b4575778fe3328687f9a9ed
ad5e18d32f403ca4871f3d4b222c84821a6b6ba74ec858cc99eb00c66bb6bddb
9a36bb988eb1f8bc83089fc9b406e8fc95ad96c6ef8466b497ec3b34220f6ef3
e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b
SH256 hash:
e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b
MD5 hash:
be8001149838e742d3b4e8024913d6e4
SHA1 hash:
301eda58ccc6b3bdbfba3bd88db3ff273d254fde
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/874e628b-165d-4d27-b8cd-76772d4ebe3f/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6a0d5ac9e01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_ModiLoader
Create hunting rule
Author:ditekSHen
Description:Detects ModiLoader
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments