MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d
SHA3-384 hash: b347a20bec328dcc903842a0993bfa4a37e34fef9f182024ad842f84032a5a7ce40216dd0058b44028b33025fdd9d642
SHA1 hash: 558a575cf555ba5e5b8d8413126a8f153106f9ec
MD5 hash: fdf345d41630ebb0eb2fec26ffcd762f
humanhash: snake-mockingbird-whiskey-don
File name:ProposalALKI2023.pdf.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'948'672 bytes
First seen:2023-10-25 17:11:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa3b722e205828938fb31d64d4d39adc (1 x AgentTesla, 1 x DBatLoader)
ssdeep 24576:CZWP3Mm+MYaUVfsaH9EYmZBR4kfSQ/dTdXnZvjqhrycDeu+6yXVTBtnJfWLrgtbS:COMiYJ9EWYz3ZvOFqu+6yXIrg7dCb
Threatray 223 similar samples on MalwareBazaar
TLSH T1BB95F1FAE3F19837F06385309DDEC1747C6C7965BC49282B6AC50AEC5638AC2B52512F
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon 74f4d4dce4e4d4dc (1 x AgentTesla, 1 x DBatLoader)
Reporter malwarelabnet
Tags:DBatLoader exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
ProposalALKI2023.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-10-25 17:11:48 UTC
Tags:
dbatloader formbook xloader
Link:
https://app.any.run/tasks/21488da2-0378-4cab-911e-0a89d288f01b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456353/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.231.21187.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin masquerade overlay packed remcos
Link:
https://www.filescan.io/uploads/65394c64b972f2e9fdc38221/reports/ff7e17ce-d7e2-4601-8266-e51b88f27be4/overview
Verdict:
Malicious
Labled as:
Genie.Generic
Link:
https://www.hybrid-analysis.com/sample/052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5b165ef-6cbf-4ee7-8cb7-83fb6db8ef43
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332104
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332104 Sample: ProposalALKI2023.pdf.exe Startdate: 25/10/2023 Architecture: WINDOWS Score: 100 72 web.fe.1drv.com 2->72 74 onedrive.live.com 2->74 76 2 other IPs or domains 2->76 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 5 other signatures 2->86 12 ProposalALKI2023.pdf.exe 1 8 2->12         started        16 Jomsqjyz.PIF 2->16         started        18 Jomsqjyz.PIF 2->18         started        signatures3 process4 file5 64 C:\Users\Public\Libraries\zyjqsmoJ.pif, PE32 12->64 dropped 66 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->66 dropped 68 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->68 dropped 70 C:\Users\Public\Libraries\Jomsqjyz.PIF, PE32 12->70 dropped 106 Drops PE files with a suspicious file extension 12->106 108 Writes to foreign memory regions 12->108 110 Allocates memory in foreign processes 12->110 112 Allocates many large memory junks 12->112 20 cmd.exe 1 12->20         started        23 zyjqsmoJ.pif 12->23         started        114 Multi AV Scanner detection for dropped file 16->114 116 Machine Learning detection for dropped file 16->116 118 Sample uses process hollowing technique 16->118 25 zyjqsmoJ.pif 16->25         started        27 zyjqsmoJ.pif 18->27         started        signatures6 process7 signatures8 88 Uses ping.exe to sleep 20->88 90 Drops executables to the windows directory (C:\Windows) and starts them 20->90 92 Uses ping.exe to check the status of other devices and networks 20->92 29 easinvoker.exe 20->29         started        31 PING.EXE 1 20->31         started        34 xcopy.exe 2 20->34         started        39 8 other processes 20->39 94 Detected unpacking (changes PE section rights) 23->94 96 Maps a DLL or memory area into another process 23->96 98 Queues an APC in another process (thread injection) 23->98 37 KHBlOWLqwOTpZAKbOCIdBRg.exe 23->37 injected process9 dnsIp10 41 cmd.exe 1 29->41         started        78 127.0.0.1 unknown unknown 31->78 60 C:\Windows \System32\easinvoker.exe, PE32+ 34->60 dropped 44 WWAHost.exe 37->44         started        62 C:\Windows \System32\netutils.dll, PE32+ 39->62 dropped file11 process12 signatures13 102 Adds a directory exclusion to Windows Defender 41->102 46 cmd.exe 1 41->46         started        49 conhost.exe 41->49         started        104 Maps a DLL or memory area into another process 44->104 51 KHBlOWLqwOTpZAKbOCIdBRg.exe 44->51 injected 53 explorer.exe 44->53 injected process14 signatures15 120 Adds a directory exclusion to Windows Defender 46->120 55 powershell.exe 25 46->55         started        process16 signatures17 100 DLL side loading technique detected 55->100 58 conhost.exe 55->58         started        process18
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 04:28:12 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
28 of 37 (75.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=auxbwvgeshddyzrpur5qrny3ulzmew53ec6kmgmjg6c3q74qev6q._file
Verdict:
malicious
Similar samples:
0319a48c8448490e40da6237039f578e079c17495c32356e5a03123976af3486
DBatLoader
036c6898af5b3d4003e544deb66eb29bd5a83c43903aac4667eb77e42169a6c4
DBatLoader
08a60f72793672599cf88d9c6c20eedc37ac6da248877a9a7345ab065bb769ea
DBatLoader
1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
DBatLoader
218b06f1a24c05c5fa1480a3c0153957800fb882d977acd28eb4d853c976fb7a
DBatLoader
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
DBatLoader
85d5d8fee53df94ccc480e1ad9cdc75f47f4db122d67ec5d4d95f93a551949d8
DBatLoader
9c91537c85883eeb9b15a6ead090c3b7ad260455f022562cac8abdbe92f65370
DBatLoader
a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04
DBatLoader
fecb7826eb9472fa8b7a79c1029720e19f8e2deb1d2c57c8c6ebf66232ac7981
DBatLoader
+ 213 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231025-vqtzvade5t/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
7c45bf2b96f83862d041b02f815b22013fc013c734aa23837da1a6265065c3fe
MD5 hash:
03f378057f182976ec0143a6067e6cea
SHA1 hash:
d4f55dd9e73995435d8a88d59388d05b2f1f4b64
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/cc99f28b-16c4-4413-88f6-cc795bb80844/
Parent samples :
1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/cc99f28b-16c4-4413-88f6-cc795bb80844/
SH256 hash:
052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d
MD5 hash:
fdf345d41630ebb0eb2fec26ffcd762f
SHA1 hash:
558a575cf555ba5e5b8d8413126a8f153106f9ec
Link:
https://www.unpac.me/results/cc99f28b-16c4-4413-88f6-cc795bb80844/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/052e1b54c491/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456353/

Comments