MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fcbcb5c98c97d26b4df12fc4b1f18c926df5e943b6cad241836985f5da0290e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fcbcb5c98c97d26b4df12fc4b1f18c926df5e943b6cad241836985f5da0290e
SHA3-384 hash: e1ead8e5f41efcff171e3ff644339729ad2dd3a40a78c3a679cd813425c6f5053815d890fdfeba20542ce185c5e47ff4
SHA1 hash: 19df745007c4edbb727851db3c65290620389a20
MD5 hash: c7fcb915a272045036e5d8e0de23fd5a
humanhash: happy-ack-victor-diet
File name:Wblxhuaksujvhq.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'612'800 bytes
First seen:2023-10-05 07:27:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d86e42911c69e10a0bac6a25141540c (1 x DBatLoader, 1 x RemcosRAT, 1 x Formbook)
ssdeep 24576:PQYmRM7kYk7XW+LLkxodkG16Be0jsb/ipPUVRWn6MgnVyZk1J3Hu9kQ9:PQwuBkxcGk1JrQ
TLSH T1CE75BFF4A350BC74E0562A34AC45ABD5C57738C53A4D588DD2ECBBFA39B23A12A1C05F
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d8dcfcdcdcdcd4d4 (6 x DBatLoader, 4 x Formbook, 2 x RemcosRAT)
Reporter spatronn2
Tags:DBatLoader exe


Avatar
spatronn2
Sample : https://torna.ydns.eu/on/bsv/

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Dekont1.vbs
Verdict:
Malicious activity
Analysis date:
2023-10-05 07:27:24 UTC
Tags:
opendir loader dbatloader rat remcos remote keylogger
Link:
https://app.any.run/tasks/530561e6-646b-47e6-9209-2acbec016b2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.18786.24889.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin
Link:
https://www.filescan.io/uploads/651e658340343f27c672b25c/reports/f09131ce-e99a-46b5-b053-502fac304778/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/0fcbcb5c98c97d26b4df12fc4b1f18c926df5e943b6cad241836985f5da0290e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IEInspector Software
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b52c28fe-a809-40c7-82ee-4cc1c4b1ff87
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319944
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1319944 Sample: Wblxhuaksujvhq.exe Startdate: 05/10/2023 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 6 Wblxhuaksujvhq.exe 1 2 2->6         started        11 Wblxhuak.PIF 2->11         started        13 Wblxhuak.PIF 2->13         started        process3 dnsIp4 27 web.fe.1drv.com 6->27 35 3 other IPs or domains 6->35 25 C:\Users\Public\Libraries\Wblxhuak.PIF, PE32 6->25 dropped 53 Drops PE files with a suspicious file extension 6->53 55 Writes to foreign memory regions 6->55 57 Allocates memory in foreign processes 6->57 59 Allocates many large memory junks 6->59 15 SndVol.exe 3 17 6->15         started        29 192.168.2.1 unknown unknown 11->29 31 web.fe.1drv.com 11->31 37 3 other IPs or domains 11->37 61 Antivirus detection for dropped file 11->61 63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 19 SndVol.exe 11->19         started        33 web.fe.1drv.com 13->33 39 3 other IPs or domains 13->39 67 Injects a PE file into a foreign processes 13->67 21 colorcpl.exe 13->21         started        file5 signatures6 process7 dnsIp8 41 tornado.ydns.eu 193.42.32.61, 1972, 49796 EENET-ASEE Germany 15->41 43 geoplugin.net 178.237.33.50, 49797, 80 ATOM86-ASATOM86NL Netherlands 15->43 23 C:\ProgramData\remcos\logs.dat, data 15->23 dropped file9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fcbcb5c98c97d26b4df12fc4b1f18c926df5e943b6cad241836985f5da0290e/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-10-05 07:28:05 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7f4wxeyzf6snng7cl6ewhyyzetn6xuuhnwk2jayg2mf6xnafeha._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:eu persistence rat trojan
Link:
https://tria.ge/reports/231005-janmcabc39/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
tornado.ydns.eu:1972
orifak.ydns.eu:1972
rdpown.ydns.eu:1972
Unpacked files
SH256 hash:
b080e4d8ad106ff6d1ae1a219e91091b85f9fdeaf28ff1b220b0f5be8e37e75a
MD5 hash:
7869d74b0eed954b07c7bdcf84e0ed8c
SHA1 hash:
f85663aaac2045335cc4673caba9ca0b27d7dffe
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/911aec41-07bc-410b-8c44-dfbf173dadf5/
SH256 hash:
4ca7df18540a624579df2365ecaaefff78791a82a14b05b05f589117d1ce6536
MD5 hash:
89b8efe3bbfde91d857ad68abde91729
SHA1 hash:
25ad109b5cffc723eee6d4044b518802227330b3
Link:
https://www.unpac.me/results/911aec41-07bc-410b-8c44-dfbf173dadf5/
SH256 hash:
0fcbcb5c98c97d26b4df12fc4b1f18c926df5e943b6cad241836985f5da0290e
MD5 hash:
c7fcb915a272045036e5d8e0de23fd5a
SHA1 hash:
19df745007c4edbb727851db3c65290620389a20
Link:
https://www.unpac.me/results/911aec41-07bc-410b-8c44-dfbf173dadf5/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0fcbcb5c98c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fcbcb5c98c97d26b4df12fc4b1f18c926df5e943b6cad241836985f5da0290e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe 0fcbcb5c98c97d26b4df12fc4b1f18c926df5e943b6cad241836985f5da0290e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2716578/
  
Delivery method
Distributed via web download

Comments