MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11
SHA3-384 hash:	eea263c59f7801926c1af4d11310bfcedd1bf4f3e1586eb0b7a21945960003f257dddafa21cc137e33a85d8d750dcd9d
SHA1 hash:	a784ef5651e7e1530d4e77ab9f7f3507b51d9e67
MD5 hash:	84bf18cdc14d7e2c5311ff6cd071a0dc
humanhash:	kilo-ceiling-venus-summer
File name:	era 1.exe
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	882'688 bytes
First seen:	2022-11-29 19:44:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5726129c7d2d4fcff81feaf6445b482f (1 x BitRAT, 1 x ModiLoader)
ssdeep	12288:fSj5lclcaywFMtTPWQOQSJU3FtJlpCBIUQZC8fRuHT6Kk/RqIkr:fSVKFp6rfn/VXPCyE8fMuqI
Threatray	2'786 similar samples on MalwareBazaar
TLSH	T1B8159E23A1518477D1721A789D0B57A4691EBDE02F38EC5767E03CCCCF3978A782A297
TrID	45.0% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 30.6% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28) 17.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 2.9% (.EXE) InstallShield setup (43053/19/16) 0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
File icon (PE):
dhash icon	33b0f8ba92d43093 (3 x ModiLoader, 1 x BitRAT)
Reporter	0xToxin
Tags:	exe ModiLoader

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

Vendor Threat Intelligence

Malware family:

bitrat

ID:

File name:

era 1.exe

Verdict:

Malicious activity

Analysis date:

2022-11-29 19:47:24 UTC

Tags:

installer trojan bitrat rat

Link:

https://app.any.run/tasks/9af115e8-9407-445d-b623-4abe7c99bafb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/339804/

Detection(s):

SecuriteInfo.com.W32.Formbook.AA.tr.27641.29258.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook keylogger remcos

Link:

https://www.filescan.io/uploads/6386613f5be128ac718fb2c2/reports/84ee74d2-f9f5-47cf-8da2-81d46ad889e7/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/672dd7f5-e5e8-4d87-b3cf-3e6b81db2e5a

Result

Threat name:

BitRAT, DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1123497

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected BitRAT

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-11-29 15:32:18 UTC

File Type:

PE (Exe)

Extracted files:

107

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6uyqpoesuuhdh7ytbya46oi2fnuvetn6bg3vzqjrsi3fxplo3iiq._file

Verdict:

malicious

ModiLoader

1a28af1d858e4d8650c914eb319c09d28a50c262ce42d236737f3d38a617c99c

ModiLoader

362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a

ModiLoader

455043f1dd7882239a50cca55df4fbdf5cc5e04e305c7052346fc38c2aad015e

ModiLoader

4cd864cf3d39baff963a023423237dd164ce0e5de001d1397031b74c3b26691e

ModiLoader

5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a

ModiLoader

74bfe12181435ac80211c35fb1aa7955965d252ea6db5d12576a21d2590f7596

ModiLoader

9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e

ModiLoader

ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9

ModiLoader

fdeab1bddd43965a3ec2ed0a6001bc926a7f995bffc549b64379324374beac4b

ModiLoader

+ 2'776 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/221129-ygds2sad38/

Behaviour

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

5c90e87df09275cfcb46e0452d77e149f3fbc59d55bda76e62e6fa11ae1de693

MD5 hash:

ee94f46ed9b387ad243c36c1cb062686

SHA1 hash:

6e0c4dc795dec2dce9454fbb246afabffd2039fc

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/e9db6710-6ede-444c-b7ad-36c3cb8c41a2/

Parent samples :

4ef967caea627a1b9cd7f74d31584b69d76f8c532cee528e8815c4f70ae24aa7
dc35d3d87c8f062b000472a46ec166c5bf8f399f95c02717eab4ce542043afd7
bb01ebad742a61a5aee09777d88a01e627d29171513c335f52c57c41c7e41ef4
0dec26f0ed31eafa41f5141a4342f84f5245ba6d097904ed1fdb11a6df1ce606
c2c6eec67a1561c3a49179ddf756480876d92588c2e83d64246a04c3d724cb3d
f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11
9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e
109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
1fdbc93a0a891ff9ca424bb90bd696140b5918583ad6e0f2fcce012640cde8dd
230b07866371131de12907f26f06a9cfa27762c499f93cae840c198ea9e46846
494e56903190304bab1c27786bd1f60aeaede9b478b2bca17474602414b82688
db399100d63fa87dbc5d6596d2c44749c0cee86ea45d7e81206277c9cdacb9f1
16ba74e590acbf2a285ae1e15864ef7cdeff576542f0f430ab83481ea52b729a
ffa9f3d0e3d4d29b10cba30fe3394d538b8c415e9c29cf36a56990e9204ec7bf
0305b3a95aff122c888a200de747a565208ea19494c8257b0c972084141f42c4
c84d9cb4b4e037cbaf9632d4cdd0f493d2c5e0b5f6308fe97f84f04b501155c8
a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70
e7298f63b0ee46b470e6c7323087e2af9fe4802ed93674d1408f10d03989a7f6
e6303d0730eaecd16e8a3becf77fce3d5da13155d2e27e102ecc2b700ad42814
105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13
ca13eac154ad479e2234deac0f07989db25e4d50c47cdc7f4f31dd7ab71dc087
03daa8dcea75f814b344785dc1f52222cd4461bccc17a35f032efe81e47d18be
6246a9212db799df597fe34bcbeeeb08dad116b7cf3cd4c8037d42d1d0b4256a
aaa28e71ec8aad860fdc9f517c151b85be433e142160341f2aa399d9c60d11cf
f974cf4bda9a65b7a2573726e3808c696f6a5e54b89f08807764d9ab2a06a5c1
b8002e076820615fe2b14369e7d258ff2984cd832a38de4f1450b84813b283c5
de8c5c01bab7e747f3cd3f276d7cf3c839600131987cbcfcd5314f9af6d64b05
7cec52ddbd0c2037de1b4ad9eedcbedbfc005cb558c7f326dcf66c800e7875f1
91dd17921c69af057a78759611885bb04ebc68a9ec38ca08067c496f9e76a241
b0d85d76e52034986c3d4e165a745c04b3af21d1c5692719d1b66bceafc76423
af5ecbd67c2195a72178b6b0a886715d4b28fd064717dd3193a477563c5be6b6
7a91675248e7d9891570e731b1dce694054d9db90f14bb4a74d5a9fd571af758
878257b5d411ceedf80fcab13183bd22ea6183a86c8d5a99a7ff08dd01567fc0
c4cd277e81aec420cdf23a0d5ebff50b0d64dd9c6b3b1942567c263032f64deb

SH256 hash:

f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11

MD5 hash:

84bf18cdc14d7e2c5311ff6cd071a0dc

SHA1 hash:

a784ef5651e7e1530d4e77ab9f7f3507b51d9e67

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/e9db6710-6ede-444c-b7ad-36c3cb8c41a2/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f53107b892a5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/339804/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample