MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95
SHA3-384 hash: 759ec6275aa17c0bb2b4eb905dd7b2cc2647669a30dca460b4026aa58872902b36df56af1b9022a8b88e514ab9e72191
SHA1 hash: 92f787628dcf3a5cfdbaac2222930da6777c4594
MD5 hash: c65be480714f6d46cf6561a296f3d98b
humanhash: violet-tennis-johnny-bulldog
File name:0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'263'616 bytes
First seen:2023-08-29 16:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d0dfcbc350384b57e57b16f197fa626 (3 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
ssdeep 24576:swGq5fTk3ROmX7zJDltuqezXlu+VkGdKitox:swLfTcLzx38Vu+3EitK
Threatray 10 similar samples on MalwareBazaar
TLSH T17845E126E3F04532F1720934CCDBB668AC2DBD31BD186C8B5BF41D5A9B3A251781929F
TrID 74.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
12.2% (.EXE) InstallShield setup (43053/19/16)
4.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.7% (.SCR) Windows screen saver (13097/50/3)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 00c292d2d2d2d200 (3 x DBatLoader, 2 x RemcosRAT, 1 x NetWire)
Reporter Anonymous
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95
Verdict:
Malicious activity
Analysis date:
2023-08-29 16:28:50 UTC
Tags:
installer dbatloader
Link:
https://app.any.run/tasks/c3f4107a-9b69-4d35-94be-b2792b033308

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445129/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.1838.15782.2672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/64ee1c937444d2eb09f30643/reports/4e98a3e5-d546-44b4-a685-a6eb9a611b1a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e04c7d4-bf2f-4125-bd81-b8ca072fd041
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1299681
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1299681 Sample: 4aUhTk3gSE.exe Startdate: 29/08/2023 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for dropped file 2->78 80 6 other signatures 2->80 11 4aUhTk3gSE.exe 5 2->11         started        process3 dnsIp4 60 web.fe.1drv.com 11->60 62 wb1h1q.dm.files.1drv.com 11->62 64 2 other IPs or domains 11->64 54 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->54 dropped 56 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->56 dropped 86 Writes to foreign memory regions 11->86 88 Allocates memory in foreign processes 11->88 90 Injects a PE file into a foreign processes 11->90 16 cmd.exe 1 11->16         started        19 SndVol.exe 11->19         started        file5 signatures6 process7 signatures8 66 Uses ping.exe to sleep 16->66 68 Drops executables to the windows directory (C:\Windows) and starts them 16->68 70 Uses ping.exe to check the status of other devices and networks 16->70 21 easinvoker.exe 16->21         started        23 PING.EXE 1 16->23         started        26 xcopy.exe 2 16->26         started        31 8 other processes 16->31 29 WerFault.exe 9 19->29         started        process9 dnsIp10 33 cmd.exe 1 21->33         started        58 127.0.0.1 unknown unknown 23->58 36 conhost.exe 23->36         started        50 C:\Windows \System32\easinvoker.exe, PE32+ 26->50 dropped 52 C:\Windows \System32\netutils.dll, PE32+ 31->52 dropped file11 process12 signatures13 72 Adds a directory exclusion to Windows Defender 33->72 38 cmd.exe 1 33->38         started        41 conhost.exe 33->41         started        process14 signatures15 82 Adds a directory exclusion to Windows Defender 38->82 43 powershell.exe 22 38->43         started        46 WerFault.exe 41->46         started        process16 signatures17 84 DLL side loading technique detected 43->84 48 conhost.exe 43->48         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 12:42:29 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzdiyxwovw6kun4ywkqgkzz5lz5r2cmibnexdpyeahvltsh756kq._file
Verdict:
malicious
Similar samples:
0a1d374fc74a19fafd920caee9a08e1a999e633d098b8ed02aebf7ad9a66281a
DBatLoader
53e4ef9bed0e669de506d72e339fa3f36534aef9d10519491d0f0acea27b8841
DBatLoader
61a3e788d1ae18d12df0bf7198a922c14e998c195b520a5543b43814b8bcbfa0
DBatLoader
781ffcd3281973496019906d76fc8c52786e7ab953292d8bab44865c8d6c9207
DBatLoader
88c7adf284249c1faec8614b563c2e31fc4fffdbc63bf81a1c0eda8446642178
DBatLoader
893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
DBatLoader
8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5
DBatLoader
d7d47b0b0aa55363efdf394d4c3ad4dc6e175edb80e22ae6e7b37cf3bc1d32d1
DBatLoader
e4688b491eef2134a09a6c4061071f2de9d71df4c07f0aef23aef84f51688d38
DBatLoader
e9352253e3211314faee670cf457e3f6732d7d93eb52f46aebf4f79cb22cbf7e
DBatLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/230829-tynbladg54/
Behaviour
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Gathering data
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e468c5ecead/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e468c5eceadbcaa3798b2a065673d5e7b1d09880b4971bf0401eab9c8ffef95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445129/

Comments