MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924
SHA3-384 hash: bea0ace47c8a14a8220e26f9ade6ffe9a8a4f7636bbf0883870785a7cd6e86119afb1755c3d1dfbc0251a7852dff933f
SHA1 hash: f4ca0a792e19daf5a6e838dfa1d33f21fc35c2fc
MD5 hash: 69698b1084f80519abf68bbbb3e9211f
humanhash: december-twenty-jig-yellow
File name:0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'530'880 bytes
First seen:2025-09-05 13:17:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ccc8dfebc5d9971e8491d80ecc850a15 (2 x RemcosRAT, 2 x DBatLoader, 1 x AgentTesla)
ssdeep 24576:JQbOxJTUrWuZt3xyPyoUkEmMAYEz+KBEO9OtBC3OMOR/kR+:JnYXxyPvUkEJAZmOeBC3ODFkR+
Threatray 836 similar samples on MalwareBazaar
TLSH T10A65E032A6E04A33D0222575EC5BD7E8D919BD203E6DF82636EC3F8C4F34692791519B
TrID 52.0% (.EXE) InstallShield setup (43053/19/16)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
12.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924
Verdict:
No threats detected
Analysis date:
2025-09-05 21:02:56 UTC
Tags:
delphi
Link:
https://app.any.run/tasks/05a7afda-6f28-42f8-b3bf-df9ba16b4a09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25657/
Detection(s):
Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bae341eb163e0ec18485ec
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context agenttesla borland_delphi fingerprint keylogger modiloader obfuscated remcos
Link:
https://www.filescan.io/uploads/68baf39920d0ee406d96c79c/reports/9249a9fd-0ae5-4f3c-ad0d-03ef5613f5b8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-24T20:37:00Z UTC
Last seen:
2025-08-24T20:37:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64b41aaa-a618-4e54-995b-f9bb65adee2b
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/69698b1084f80519abf68bbbb3e9211f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-08-25 03:27:58 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bx6z7ebh6d3o5m4b4vnam2fvwwqun7kdcdyq5xho3jcfj3vkxesa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
0002a2f7d00d1d6c5289a0c6915c6a761145586b191c03d6ae9320ac487c9ed3
DBatLoader
1626575d77b31d3b8cfebf81867d2dd2da280a4b83ab74a2852bc26143ca8aef
DBatLoader
17269b07f8f2f16e1d2139282f27e99834c34ed76548851a229bbe59832cb552
DBatLoader
268b6fdc221050949a2b624983380cd3fb268fecef2f5bb3a15d91611f3d8092
DBatLoader
2b2813d971b9a081db71183c0687b4a80b423a1228617b13a13f1baaa6ba9158
DBatLoader
5ee4fc645fa88cd85eddc57b9fc28733a891d0bb84a648a560264b983b9c5488
DBatLoader
60a8f087ea808e50d83e20099aa2fbedcd15bfb580f1524db4dc9e4a757d32d5
DBatLoader
69a9b6e531a91d616c9d7405206f87b73b851e894e452cde8f4a16ebddd98156
DBatLoader
cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
DBatLoader
ea710abc03bb6f1d7bb3045bfbbf6450e49fbaea858df1fef7563d525d708c0c
DBatLoader
error
DBatLoader
+ 826 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/250905-rq8w8ayjs6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Modiloader-10042434-0
YARA:
n/a
Link:
https://app.threat.zone/submission/d1cb3e7b-b0bf-4089-968e-7fe4e1363ac5
Unpacked files
SH256 hash:
0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924
MD5 hash:
69698b1084f80519abf68bbbb3e9211f
SHA1 hash:
f4ca0a792e19daf5a6e838dfa1d33f21fc35c2fc
Link:
https://www.unpac.me/results/393cf62f-0d0e-4458-90ba-6a3b39570b6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25657/

Comments