MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d75de3031e1429046bb404d0127f91737fae6178bc43bc06f7428a65c85572. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06d75de3031e1429046bb404d0127f91737fae6178bc43bc06f7428a65c85572
SHA3-384 hash: df9c223310fc195f85b989f82be59edf257e5a162e83008a22b90f8739a4e5e83068f1419dc93dcc203565e76082598d
SHA1 hash: 2cdf7120453fdfab33614c259c9a5fcebffc96c7
MD5 hash: 56397a4e0e681c217aeb81677cba1b49
humanhash: freddie-whiskey-wisconsin-princess
File name:Zdgmvfcqtfvafchobtmhsprgqnvazumhuq.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:950'272 bytes
First seen:2022-08-16 09:19:38 UTC
Last seen:2022-08-17 06:30:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cde445dc291f5ffbd53965e21b4ef42 (4 x Formbook, 4 x DBatLoader, 2 x RemcosRAT)
ssdeep 24576:+Xgr/BEuCNYeA06CG7Dmo/KvouloQHO2XeLoPx10Ge:+XmSLMKfOLoJ
TLSH T16015AF39B2918872D1A72878CC1763E45C397C192D6C74476AD47F6CAF3B6207B392A3
TrID 44.6% (.EXE) InstallShield setup (43053/19/16)
14.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
13.5% (.SCR) Windows screen saver (13101/52/3)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f48888868e88b4 (12 x SnakeKeylogger, 7 x Formbook, 5 x RemcosRAT)
Reporter lowmal3
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Zdgmvfcqtfvafchobtmhsprgqnvazumhuq.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-16 09:20:18 UTC
Tags:
installer
Link:
https://app.any.run/tasks/f56cb54f-f366-4102-aaae-75fd4dc6c0bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298983/
Detection(s):
SecuriteInfo.com.Malware.AI.42205434.15337.6754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29095/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm keylogger overlay
Link:
https://www.filescan.io/uploads/62fb6184493dc2f89c9b13cd/reports/fd3598a5-a792-4983-aa74-cb57ce68c4e6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec3c40ac-7813-4c66-84fa-96770cb0b7d4
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1052160
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 684672 Sample: Zdgmvfcqtfvafchobtmhsprgqnv... Startdate: 16/08/2022 Architecture: WINDOWS Score: 100 48 www.dexfipro.com 2->48 82 Snort IDS alert for network traffic 2->82 84 Multi AV Scanner detection for domain / URL 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 7 other signatures 2->88 11 Zdgmvfcqtfvafchobtmhsprgqnvazumhuq.exe 1 17 2->11         started        16 Zdgmvfcqt.exe 14 2->16         started        signatures3 process4 dnsIp5 56 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49766, 49772 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->56 58 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49763, 49769 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->58 66 3 other IPs or domains 11->66 44 C:\Users\Public\Libraries\Zdgmvfcqt.exe, PE32 11->44 dropped 46 C:\Users\...\Zdgmvfcqt.exe:Zone.Identifier, ASCII 11->46 dropped 114 Contains functionality to inject threads in other processes 11->114 116 Writes to foreign memory regions 11->116 118 Allocates memory in foreign processes 11->118 18 calc.exe 11->18         started        60 onedrive.live.com 16->60 62 i9jypq.am.files.1drv.com 16->62 64 am-files.fe.1drv.com 16->64 120 Multi AV Scanner detection for dropped file 16->120 122 Creates a thread in another existing process (thread injection) 16->122 124 Injects a PE file into a foreign processes 16->124 21 calc.exe 16->21         started        file6 signatures7 process8 signatures9 74 Modifies the context of a thread in another process (thread injection) 18->74 76 Maps a DLL or memory area into another process 18->76 78 Sample uses process hollowing technique 18->78 80 2 other signatures 18->80 23 explorer.exe 18->23 injected process10 dnsIp11 50 nerocasa.com 198.54.115.74, 49939, 80 NAMECHEAP-NETUS United States 23->50 52 www.netelm.com 209.99.64.18, 49874, 80 CONFLUENCE-NETWORK-INCVG United States 23->52 54 7 other IPs or domains 23->54 98 System process connects to network (likely due to code injection or exploit) 23->98 27 Zdgmvfcqt.exe 14 23->27         started        31 help.exe 23->31         started        33 rundll32.exe 23->33         started        35 msdt.exe 23->35         started        signatures12 process13 dnsIp14 68 onedrive.live.com 27->68 70 l-0004.l-dc-msedge.net 27->70 72 3 other IPs or domains 27->72 100 Writes to foreign memory regions 27->100 102 Allocates memory in foreign processes 27->102 104 Creates a thread in another existing process (thread injection) 27->104 106 Injects a PE file into a foreign processes 27->106 37 rasphone.exe 27->37         started        108 Modifies the context of a thread in another process (thread injection) 31->108 110 Maps a DLL or memory area into another process 31->110 112 Tries to detect virtualization through RDTSC time measurements 31->112 40 cmd.exe 31->40         started        signatures15 process16 signatures17 90 Modifies the context of a thread in another process (thread injection) 37->90 92 Maps a DLL or memory area into another process 37->92 94 Sample uses process hollowing technique 37->94 96 Tries to detect virtualization through RDTSC time measurements 37->96 42 conhost.exe 40->42         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06d75de3031e1429046bb404d0127f91737fae6178bc43bc06f7428a65c85572/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-16 09:20:11 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3lv3yyddykcsbdlwqcnaet7sfzx7ltbpc6ehpag65biuzoikvza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:o2e7 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220816-larp4saab8/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook payload
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
ab35d1c86eb576e4da8de7a8bf814ab5def5cbe7daca7824d2a2a951ac6b752f
MD5 hash:
6e47a8305a0d3fd72926bd8f79bc28d8
SHA1 hash:
88290246c797dc9ecf8fd641b7ccce8440b53247
Link:
https://www.unpac.me/results/fbda9d21-5bbd-4446-a341-a2122e365dde/
SH256 hash:
1aa0b0480f4a4a41977ee8725c0be025bf8ea30f83696633062d5741af8200af
MD5 hash:
1324549c176999f791dc1b3cb2eb1fc2
SHA1 hash:
11f4e74ba73cda5d6861fa5bf93dc5062a71e98f
Link:
https://www.unpac.me/results/fbda9d21-5bbd-4446-a341-a2122e365dde/
SH256 hash:
06d75de3031e1429046bb404d0127f91737fae6178bc43bc06f7428a65c85572
MD5 hash:
56397a4e0e681c217aeb81677cba1b49
SHA1 hash:
2cdf7120453fdfab33614c259c9a5fcebffc96c7
Link:
https://www.unpac.me/results/fbda9d21-5bbd-4446-a341-a2122e365dde/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/06d75de3031e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06d75de3031e1429046bb404d0127f91737fae6178bc43bc06f7428a65c85572

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 06d75de3031e1429046bb404d0127f91737fae6178bc43bc06f7428a65c85572

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/298983/

Comments