MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3
SHA3-384 hash: c25af037d781060beb995cf10d419276df69e40833eb8402b83a81652205f5f814df5cac6b9850b2dc1086f659cf8877
SHA1 hash: 57bb63abde2d920d698f5e5748b8194ba7afdbe6
MD5 hash: f6354c2ef2d996b054f066f0072cd9d7
humanhash: lion-dakota-jig-connecticut
File name:HG098657890000090.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'688'064 bytes
First seen:2023-12-22 06:53:53 UTC
Last seen:2023-12-22 08:19:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f1558dc318775658cce6932cf4c21fd (1 x RemcosRAT, 1 x DBatLoader)
ssdeep 49152:Kf1bPEuYM3MOsXOarzpO2UCF9qVrOYWpEK:Kdbcux3LsJrzpO2UCF9qVrM
TLSH T1E675E133E169003FE22E503AD92F5498442D7F205C5CA89AE6E73D085FB1BB38577A76
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.3% (.SCR) Windows screen saver (13097/50/3)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 34f0e28086998ce2 (1 x RemcosRAT, 1 x DBatLoader)
Reporter abuse_ch
Tags:DBatLoader exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468920/
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.11530.4824.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control hook keylogger lolbin packed remcos
Link:
https://www.filescan.io/uploads/6585328bb855eb3693ed1b0d/reports/e681b278-a290-417c-86f6-af2ae7399b5e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bea4109-ad11-4158-8217-ce951dc73eaf
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365986
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected unpacking (creates a PE file in dynamic memory)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365986 Sample: HG098657890000090.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 73 web.fe.1drv.com 2->73 75 onedrive.live.com 2->75 77 5 other IPs or domains 2->77 91 Snort IDS alert for network traffic 2->91 93 Multi AV Scanner detection for domain / URL 2->93 95 Found malware configuration 2->95 97 10 other signatures 2->97 12 HG098657890000090.exe 1 8 2->12         started        17 Gwezidmx.PIF 2->17         started        19 Gwezidmx.PIF 2->19         started        signatures3 process4 dnsIp5 85 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49729, 49730 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->85 65 C:\Users\Public\Libraries\xmdizewG.pif, PE32 12->65 dropped 67 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->67 dropped 69 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->69 dropped 71 C:\Users\Public\Librariesbehaviorgraphwezidmx.PIF, PE32 12->71 dropped 117 Drops PE files with a suspicious file extension 12->117 119 Writes to foreign memory regions 12->119 121 Allocates memory in foreign processes 12->121 21 xmdizewG.pif 2 12->21         started        24 cmd.exe 1 12->24         started        87 13.107.137.11, 443, 49738, 49739 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->87 123 Multi AV Scanner detection for dropped file 17->123 125 Machine Learning detection for dropped file 17->125 127 Allocates many large memory junks 17->127 26 xmdizewG.pif 17->26         started        30 xmdizewG.pif 19->30         started        file6 signatures7 process8 dnsIp9 99 Contains functionality to bypass UAC (CMSTPLUA) 21->99 101 Detected unpacking (creates a PE file in dynamic memory) 21->101 103 Contains functionalty to change the wallpaper 21->103 113 8 other signatures 21->113 32 iexplore.exe 21->32         started        105 Uses ping.exe to sleep 24->105 107 Drops executables to the windows directory (C:\Windows) and starts them 24->107 109 Uses ping.exe to check the status of other devices and networks 24->109 34 easinvoker.exe 24->34         started        36 PING.EXE 1 24->36         started        39 xcopy.exe 2 24->39         started        42 8 other processes 24->42 81 107.175.229.139, 49742, 8087 AS-COLOCROSSINGUS United States 26->81 83 geoplugin.net 178.237.33.50, 49743, 80 ATOM86-ASATOM86NL Netherlands 26->83 63 C:\ProgramData\remcos\logs.dat, data 26->63 dropped 111 Installs a global keyboard hook 26->111 file10 signatures11 process12 dnsIp13 44 WerFault.exe 22 16 32->44         started        46 cmd.exe 1 34->46         started        79 127.0.0.1 unknown unknown 36->79 59 C:\Windows \System32\easinvoker.exe, PE32+ 39->59 dropped 61 C:\Windows \System32\netutils.dll, PE32+ 42->61 dropped file14 process15 signatures16 129 Adds a directory exclusion to Windows Defender 46->129 49 cmd.exe 1 46->49         started        52 conhost.exe 46->52         started        process17 signatures18 89 Adds a directory exclusion to Windows Defender 49->89 54 powershell.exe 27 49->54         started        process19 signatures20 115 DLL side loading technique detected 54->115 57 conhost.exe 54->57         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 07:16:32 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b437uyj4xgf5o6ybxmv2ydl4ddkzg54yzxqszq6dnijd3ificgzq._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:dollar persistence rat trojan
Link:
https://tria.ge/reports/231222-hn7rpsbcbq/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
107.175.229.139:8087
Unpacked files
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/17427053-aca3-415e-ae4c-dca0023f9288/
SH256 hash:
935302cf636156b9224b38aab69784e748671da73de2adeb6cc6bd6577bd73d1
MD5 hash:
ec349778a84919bddc6f5510de515db3
SHA1 hash:
a0647e5ba81cf984659a70390e89a4b2d00c3342
Detections:
win_dbatloader_g1
Create hunting rule
MALWARE_Win_ModiLoader
Create hunting rule
Link:
https://www.unpac.me/results/17427053-aca3-415e-ae4c-dca0023f9288/
SH256 hash:
0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3
MD5 hash:
f6354c2ef2d996b054f066f0072cd9d7
SHA1 hash:
57bb63abde2d920d698f5e5748b8194ba7afdbe6
Link:
https://www.unpac.me/results/17427053-aca3-415e-ae4c-dca0023f9288/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f37fa613cb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 0f37fa613cb98bd77b01bb2bac0d7c18d5937798cde12cc3c36a123da0a811b3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468920/

Comments