MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ModiLoader

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340
SHA3-384 hash:	3a628d7823e3e70154092a4cb09d9e18c42f0be156b752b8e08c915fa6839c5db953cd69b017a77cd62d924fdceefaed
SHA1 hash:	1a5de9b4429c0c7e2b888f799e310fea6ba404f5
MD5 hash:	3d741e7270be70d772e5abda42348fd3
humanhash:	mississippi-lamp-rugby-london
File name:	file
Download:	download sample
Signature	ModiLoader Create hunting rule
File size:	978'944 bytes
First seen:	2022-10-10 14:21:12 UTC
Last seen:	2022-10-11 10:14:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	faa13790e0ceb8f1607ec55da2778103 (3 x ModiLoader)
ssdeep	24576:satTADYIErC0I2D3QauLMMQUtVSn52Ao:stxnLm+Sn52A
Threatray	161 similar samples on MalwareBazaar
TLSH	T1EF25BF22F2D08933C167297C4D4F83B89CEABE112E247A8627E52D4C5F76B517D253A3
TrID	26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 24.5% (.SCR) Windows screen saver (13101/52/3) 19.7% (.EXE) Win64 Executable (generic) (10523/12/4) 8.4% (.EXE) Win32 Executable (generic) (4505/5/1) 5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	c4b3d9cde5f1bedc (1 x ModiLoader)
Reporter	andretavare5
Tags:	exe ModiLoader

andretavare5

Sample downloaded from https://vk.com/doc638734270_651367574?hash=9ieZzBQsn3WTScVDZZP880fh0876bEyPz5mpCAWRrAw&dl=GYZTQNZTGQZDOMA:1665410839:RH0uv3ttV0aJjYovOJ9rOCkC7J75UBNd7lSOvO6HgBs&api=1&no_preview=1#new

Intelligence

File Origin

# of uploads :

470

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

socelars

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-10-11 06:05:38 UTC

Tags:

evasion opendir trojan socelars stealer loader raccoon recordbreaker rat redline

Link:

https://app.any.run/tasks/fa040c49-9858-4be5-a1c6-93b42e90d342

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318478/

Detection(s):

SecuriteInfo.com.Win32.InjectorX-gen.30072.29162.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Creating a file

Launching a process

Creating a process with a hidden window

Creating a file in the system32 subdirectories

DNS request

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Using the Windows Management Instrumentation requests

Reading critical registry keys

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42263/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

80%

Tags:

keylogger packed shell32.dll wscript.exe

Link:

https://www.filescan.io/uploads/63442a8b242f0a868b11e89d/reports/b2b5a4b6-b8ea-4dab-8f42-5ff0ca39cc36/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d3f31f5d-bafb-4f01-b2db-af1209592bcc

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.expl.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1087154

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340/

Threat name:

Win32.Trojan.Bingoml

Status:

Malicious

First seen:

2022-10-10 14:22:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=66cbo53bdlfs447d27tfs3wvgwmhbvanpvcdhbsycy4xiu4p4naa._file

Verdict:

malicious

ModiLoader

42dab012fe2a77f42f3021e2f31128ac964eb588b9e31736544fc4f789159197

ModiLoader

7889fbae0f292b70c50119b5069bb64425189c59c818336bb49c9c5638edbe03

ModiLoader

a6fc491d6d097332f35d3ffaa4a31ecafd1b114cdccee11f627e3bde36a7bfd3

ModiLoader

bb95ccaab5ce2f87f0fc110601b059f67425defa9ebcbaa4b106fc763a477f7c

ModiLoader

d633169a59bd0ecaeda8ed764374657efdf49d963f66f8949efcb2549707d498

ModiLoader

f2ce7756c2480374eb046877c871235d23b9b7b5e2b3cbf32b2608070399efd1

ModiLoader

+ 151 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery spyware stealer trojan

Link:

https://tria.ge/reports/221010-rpjwpsccgp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of web browsers

Blocklisted process makes network request

ModiLoader Second Stage

ModiLoader, DBatLoader

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/83f70046-efd8-44b6-bc99-a929fd344557

Unpacked files

SH256 hash:

c54e00ceeec27e2b0624e5b630b1ace61537ad33da437185405dbc70a666623f

MD5 hash:

f07429fc678461954273bff02af63983

SHA1 hash:

439c7c989252dc0a4b257c4214f82e3bf0df7d96

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/2994b51c-b32b-4645-8dc3-23c35ac64797/

Parent samples :

27d32b2af6392daaa9d08da8dec30cf109e82da5778ab1c7db87be3c8cc91502
0866f6ad4a9533fb2f28aab0e42c72c8127c4f7fbd5fea2332747e0ddc169da7
f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340
2d3944cb25f2bf75d15aa54edc421c7ea48528a72369d0662dc6c87c257cebf6

SH256 hash:

f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340

MD5 hash:

3d741e7270be70d772e5abda42348fd3

SHA1 hash:

1a5de9b4429c0c7e2b888f799e310fea6ba404f5

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/2994b51c-b32b-4645-8dc3-23c35ac64797/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f7841777611a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DBatLoader

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7841777611acb2e73e3d7e6596ed5359870d40d7d44338658163974538fe340

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/318478/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample