MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ce551359d7ccdbc2a019cba29ce1491c8aa4bc48176e9e4cd69b948bb702526. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ce551359d7ccdbc2a019cba29ce1491c8aa4bc48176e9e4cd69b948bb702526
SHA3-384 hash: 9db3d011883c45aa2b89b1db3e4084335dac84ea44e179be266cf0e6abc8ca4fd633132c8c128f6af1b6cb9d7946e032
SHA1 hash: bb07c259033d2b23d67d5e5cb11fb3f07c85a764
MD5 hash: 3d42f0d709f574f06d308df64dfc2932
humanhash: butter-kansas-blossom-nitrogen
File name:RFQ_3247 B.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:950'272 bytes
First seen:2022-08-17 07:16:07 UTC
Last seen:2022-09-06 05:53:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cde445dc291f5ffbd53965e21b4ef42 (4 x Formbook, 4 x DBatLoader, 2 x RemcosRAT)
ssdeep 24576:+Xgr/BEuCNYeA06CG7Dmo/KvouloQHO2XeLoPx1+Ge:+XmSLMKfOLoJ
TLSH T1E715BF3EB2918872D1A32579CC1A63E46C3D7C262D6C74472AD52E9C6F37B407B352A3
TrID 44.6% (.EXE) InstallShield setup (43053/19/16)
14.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
13.5% (.SCR) Windows screen saver (13101/52/3)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74f48888868e88b4 (12 x SnakeKeylogger, 7 x Formbook, 5 x RemcosRAT)
Reporter GovCERT_CH
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQ_3247 B.exe
Verdict:
Malicious activity
Analysis date:
2022-08-17 02:00:38 UTC
Tags:
installer formbook
Link:
https://app.any.run/tasks/57dfe08a-507c-4319-b6ea-f227c42620f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299205/
Detection(s):
SecuriteInfo.com.Malware.AI.42205434.15337.6754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29194/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm keylogger overlay
Link:
https://www.filescan.io/uploads/62fc963a0dba786c1d37bd00/reports/a545a102-6ba9-4ac4-bee8-a31e172a7bb9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5618aaa9-7c0e-4591-81dc-f3111083ddd0
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1052631
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 685148 Sample: RFQ_3247 B.exe Startdate: 17/08/2022 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 6 other signatures 2->79 10 RFQ_3247 B.exe 1 17 2->10         started        process3 dnsIp4 59 onedrive.live.com 10->59 61 i9iuxg.am.files.1drv.com 10->61 63 am-files.fe.1drv.com 10->63 41 C:\Users\Public\Libraries\Zckszsizi.exe, PE32 10->41 dropped 43 C:\Users\...\Zckszsizi.exe:Zone.Identifier, ASCII 10->43 dropped 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 103 Creates a thread in another existing process (thread injection) 10->103 105 Injects a PE file into a foreign processes 10->105 15 rasphone.exe 10->15         started        file5 signatures6 process7 signatures8 107 Modifies the context of a thread in another process (thread injection) 15->107 109 Maps a DLL or memory area into another process 15->109 111 Sample uses process hollowing technique 15->111 113 2 other signatures 15->113 18 explorer.exe 15->18 injected process9 dnsIp10 45 www.lijifs.com 107.167.14.123, 49751, 80 ST-BGPUS United States 18->45 81 System process connects to network (likely due to code injection or exploit) 18->81 22 Zckszsizi.exe 14 18->22         started        26 Zckszsizi.exe 14 18->26         started        28 control.exe 18->28         started        30 3 other processes 18->30 signatures11 process12 dnsIp13 47 onedrive.live.com 22->47 49 i9iuxg.am.files.1drv.com 22->49 51 am-files.fe.1drv.com 22->51 83 Multi AV Scanner detection for dropped file 22->83 85 Writes to foreign memory regions 22->85 87 Allocates memory in foreign processes 22->87 32 calc.exe 22->32         started        53 192.168.2.1 unknown unknown 26->53 55 onedrive.live.com 26->55 57 2 other IPs or domains 26->57 89 Creates a thread in another existing process (thread injection) 26->89 91 Injects a PE file into a foreign processes 26->91 35 calc.exe 26->35         started        93 Modifies the context of a thread in another process (thread injection) 28->93 95 Maps a DLL or memory area into another process 28->95 97 Tries to detect virtualization through RDTSC time measurements 28->97 37 cmd.exe 28->37         started        signatures14 process15 signatures16 65 Modifies the context of a thread in another process (thread injection) 32->65 67 Maps a DLL or memory area into another process 32->67 69 Sample uses process hollowing technique 32->69 71 Tries to detect virtualization through RDTSC time measurements 32->71 39 conhost.exe 37->39         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ce551359d7ccdbc2a019cba29ce1491c8aa4bc48176e9e4cd69b948bb702526/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-16 09:42:37 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btsvcnm5ptg3ykqbts5cttqushekus6eqf3otzgnng4uro3qeuta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:p2e7 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220817-h4cw9sccgr/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook payload
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
1aa0b0480f4a4a41977ee8725c0be025bf8ea30f83696633062d5741af8200af
MD5 hash:
1324549c176999f791dc1b3cb2eb1fc2
SHA1 hash:
11f4e74ba73cda5d6861fa5bf93dc5062a71e98f
Link:
https://www.unpac.me/results/af32e298-87c6-4e50-937c-7d7c1573d835/
SH256 hash:
697c4987985b7a59a70bbe73f454bb1448811502f312d72c2154cff7fc2bdd35
MD5 hash:
aad27cd64b1c825700153eee1b138157
SHA1 hash:
119d55208a1ffea101c657702d61c8bf7dcc3ad0
Link:
https://www.unpac.me/results/af32e298-87c6-4e50-937c-7d7c1573d835/
SH256 hash:
0ce551359d7ccdbc2a019cba29ce1491c8aa4bc48176e9e4cd69b948bb702526
MD5 hash:
3d42f0d709f574f06d308df64dfc2932
SHA1 hash:
bb07c259033d2b23d67d5e5cb11fb3f07c85a764
Link:
https://www.unpac.me/results/af32e298-87c6-4e50-937c-7d7c1573d835/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ce551359d7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ce551359d7ccdbc2a019cba29ce1491c8aa4bc48176e9e4cd69b948bb702526

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 0ce551359d7ccdbc2a019cba29ce1491c8aa4bc48176e9e4cd69b948bb702526

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/299205/

Comments