MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f908905ade4100d20249cbcb62cbe7a03fc57ea9e8bdf4c50c3c901aee3c449e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f908905ade4100d20249cbcb62cbe7a03fc57ea9e8bdf4c50c3c901aee3c449e
SHA3-384 hash: 54c4a7f5557155f4fa9efde193cc114a158ef9954b0d9dcd0c836cd539573db61feb87c238a9dccfef8c4a93c67dc3a1
SHA1 hash: 7f6d3b418ce5c520645f5afcf1c40e1786d65f33
MD5 hash: b2e84f2375a8fa6b6d6634afe0f915d7
humanhash: lamp-orange-floor-potato
File name:BL P.O_pdf.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:1'067'520 bytes
First seen:2023-05-25 09:07:05 UTC
Last seen:2023-06-15 21:47:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b3b7f3046623191c43621fd310d374b1 (2 x AveMariaRAT, 2 x ModiLoader, 1 x Formbook)
ssdeep 24576:SSWrMz8C3kJ+VnkaJ56TxIN84Mm/31fb5GJ:SS0o8YXMFIN84X31fb5W
Threatray 731 similar samples on MalwareBazaar
TLSH T1D135AE62A3F014B3E12A28355C5BD7A8591D7E102934740DBFE63D98EF3B2827DA41D7
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.3% (.SCR) Windows screen saver (13097/50/3)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon dcf4f4c2a4c4c2d0 (2 x ModiLoader, 1 x AveMariaRAT, 1 x Formbook)
Reporter lowmal3
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL P.O_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-25 09:10:06 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/96c148b7-5596-455f-8a9d-2d02d0cfe1d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/391527/
Detection(s):
SecuriteInfo.com.HEUR.22243.17368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87837/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger lolbin packed
Link:
https://www.filescan.io/uploads/646f25749621774aa98eee25/reports/a68223b5-f955-4638-8469-9aac2a81d99e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f908905ade4100d20249cbcb62cbe7a03fc57ea9e8bdf4c50c3c901aee3c449e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/46356a2b-fab9-45b9-a486-7cc924afbc76
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1242276
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Disables UAC (registry)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 875286 Sample: BL_P.O_pdf.exe Startdate: 25/05/2023 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 5 other signatures 2->87 10 BL_P.O_pdf.exe 1 10 2->10         started        15 Grudeznl.exe 2->15         started        17 Grudeznl.exe 2->17         started        process3 dnsIp4 71 web.fe.1drv.com 10->71 73 onedrive.live.com 10->73 75 2 other IPs or domains 10->75 59 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->59 dropped 61 C:\Users\Public\Libraries\lnzedurG.pif, PE32 10->61 dropped 63 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->63 dropped 65 2 other malicious files 10->65 dropped 103 Drops PE files with a suspicious file extension 10->103 105 Writes to foreign memory regions 10->105 107 Allocates memory in foreign processes 10->107 19 cmd.exe 3 10->19         started        22 lnzedurG.pif 10->22         started        109 Multi AV Scanner detection for dropped file 15->109 111 Machine Learning detection for dropped file 15->111 113 Creates a thread in another existing process (thread injection) 15->113 25 lnzedurG.pif 15->25         started        115 Injects a PE file into a foreign processes 17->115 27 lnzedurG.pif 17->27         started        file5 signatures6 process7 dnsIp8 89 Uses ping.exe to sleep 19->89 91 Drops executables to the windows directory (C:\Windows) and starts them 19->91 93 Uses ping.exe to check the status of other devices and networks 19->93 29 easinvoker.exe 19->29         started        31 PING.EXE 1 19->31         started        34 xcopy.exe 2 19->34         started        39 6 other processes 19->39 67 geoplugin.net 178.237.33.50, 49702, 80 ATOM86-ASATOM86NL Netherlands 22->67 69 hold.linkpc.net 79.142.69.160, 12797, 49701 ALTUSNL Netherlands 22->69 95 Detected unpacking (creates a PE file in dynamic memory) 22->95 37 cmd.exe 22->37         started        signatures9 process10 dnsIp11 41 cmd.exe 1 29->41         started        77 127.0.0.1 unknown unknown 31->77 55 C:\Windows \System32\easinvoker.exe, PE32+ 34->55 dropped 44 reg.exe 37->44         started        46 conhost.exe 37->46         started        57 C:\Windows \System32\netutils.dll, PE32+ 39->57 dropped file12 process13 signatures14 97 Suspicious powershell command line found 41->97 99 Adds a directory exclusion to Windows Defender 41->99 48 powershell.exe 19 41->48         started        51 conhost.exe 41->51         started        101 Disables UAC (registry) 44->101 process15 signatures16 79 DLL side loading technique detected 48->79 53 conhost.exe 48->53         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f908905ade4100d20249cbcb62cbe7a03fc57ea9e8bdf4c50c3c901aee3c449e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-25 05:35:02 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
18 of 34 (52.94%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7eejaww6ieaneasjzpfwfs7hua74k7vj5c67jrimhsibv3r4ispa._file
Verdict:
malicious
Similar samples:
039666bf733f469f7d30f350f124f8fdfac6e4160f12f1edb80e0dff3e457af3
ModiLoader
0d7e2ea0f8269d0474c2d8de97da80b4c1333185f2ee6a602f4eff6e71759153
ModiLoader
2a62b0901586adcfed9a57c10d5cdd13b53db183d52c9e3ab296df05d634b146
ModiLoader
8698f02ff192f743528ca13ac53580c8495237f8d4be7d22eabf71d0f1a89468
ModiLoader
c1d948fee0541e31cfa3affa9d99a6ad6cf287601f3ddae9238c3ca379a4686c
ModiLoader
c266fa606a35b4ede65ae441e448dfcbf63b7a4e52091be0a6dc013b3e93c1f8
ModiLoader
d061bccf32fbb8184f85439a17e4fcece7f816ea93681a80c7506e159f043cbf
ModiLoader
da38425cef4712b8fd31378e6576d94f01707bc7e52b6f70d782f7dc9c07e876
ModiLoader
f3a3371dbbdf89fca72ec55ee13431692ddb09a0f66e17ee3f2caed32352ab4e
ModiLoader
f983cdcb52e6144ba8a87fb6f8904f39d3626be45c1725bdb89a2522525f3a9b
ModiLoader
+ 721 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:mood evasion persistence rat trojan
Link:
https://tria.ge/reports/230525-k3wn4ahb28/
Behaviour
Enumerates system info in registry
Modifies registry key
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
UAC bypass
Malware Config
C2 Extraction:
hold.linkpc.net:12797
Unpacked files
SH256 hash:
f908905ade4100d20249cbcb62cbe7a03fc57ea9e8bdf4c50c3c901aee3c449e
MD5 hash:
b2e84f2375a8fa6b6d6634afe0f915d7
SHA1 hash:
7f6d3b418ce5c520645f5afcf1c40e1786d65f33
Detections:
DbatLoaderStage1
Create hunting rule
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/538feb5a-4eab-4df4-aa95-6d9697fe0aca/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

Executable exe f908905ade4100d20249cbcb62cbe7a03fc57ea9e8bdf4c50c3c901aee3c449e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/391527/

Comments