MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f
SHA3-384 hash: c4b24d2799de0d5bd5a28d7b61c9577f5033609b9be4ef0f2feda2e15f411c01f76d5ba69259b7e1e0eaad9091960c87
SHA1 hash: 440983cd4ef9847b32d59a8bd38d9668074b4c97
MD5 hash: cb34082fdd6642512965b26d4b62c500
humanhash: item-kentucky-golf-alpha
File name:Proforma fatura ektedir.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'209'856 bytes
First seen:2024-10-15 14:12:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 93cd1f40d1900dba9692f6f89a489b2f (2 x DBatLoader)
ssdeep 24576:v3d2q0Hg8P0VXav4wSUtAiXzSz4FMzDVW1SKCDH7U:/4hgV7ijSmM3UxAH7
Threatray 63 similar samples on MalwareBazaar
TLSH T1AD456B55E3C28D35D836273B181EB1ED27182D50571CAB6AE6B5BB2C6B307E32CF5122
TrID 47.6% (.EXE) InstallShield setup (43053/19/16)
15.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
11.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 529f5a9c8cdc4a92 (3 x DBatLoader, 1 x RemcosRAT, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proformafaturaektedir.exe
Verdict:
No threats detected
Analysis date:
2024-10-15 14:16:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/797bd74a-e45c-46bc-86a1-f5aaf9dcd26d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.LokiBot-10033421-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670e78771d4ef219fa62e3bd
Tags:
Delphi Emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint keylogger packed
Link:
https://www.filescan.io/uploads/670e7873a3cc924e39fd26cd/reports/bf48c786-88cd-43da-be88-3674ad6cba5f/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f
Result
Verdict:
MALICIOUS
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9b872fb-3999-4417-83b0-5a12f7870f08
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1534163
Signature
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2024-10-14 11:02:21 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbrymsqehawmozcs77lgycllmeuotmrn4rawtr2gb7v3alwzxzpq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f
DBatLoader
59640b32fd4e89cd138da35df35473a554da351660e7b654610642433135032c
DBatLoader
5f61f5d9eb8566c9da2253351078903b32feca438d591f283adcd4b401b9a4c5
DBatLoader
600214899079bef4e29e19e3a5872e86ead5c0e3e960b2730a21ae7b9c64ae0e
DBatLoader
60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298
DBatLoader
7ad64f279e3fa6a7d0ef2916240f1337584c5b5176fb56089771164f2905554f
DBatLoader
ba946ce742f0c1a802ef0b40a933f27ed7215baea0354f7c3b28b3f709308ba9
DBatLoader
e570134f747cfd85ee052084f5a0dbc26b8a6ea12a262c8e67382235da072a63
DBatLoader
error
DBatLoader
fe7ea8656ae589525068edd43cf85db43801652e5bdd8f4053778aba6602de95
DBatLoader
+ 53 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/241015-rjfbbssgnp/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Legitimate hosting services abused for malware hosting/C2
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d41069c6-65b3-4c93-ab6c-dcc90aae115f
Unpacked files
SH256 hash:
411b532da0802ba3d10bc22d1d803d4bef5fefe37e406c7ed3e16875551aba2e
MD5 hash:
afa2597eb619d541c2dbc4085718cd11
SHA1 hash:
e0e58a94ddcf8efb4150f32653f5a7b23a71db32
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/2f967574-875f-4e62-a8c9-d5857a371b9c/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/2f967574-875f-4e62-a8c9-d5857a371b9c/
SH256 hash:
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
MD5 hash:
869640d0a3f838694ab4dfea9e2f544d
SHA1 hash:
bdc42b280446ba53624ff23f314aadb861566832
Link:
https://www.unpac.me/results/2f967574-875f-4e62-a8c9-d5857a371b9c/
SH256 hash:
1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f
MD5 hash:
cb34082fdd6642512965b26d4b62c500
SHA1 hash:
440983cd4ef9847b32d59a8bd38d9668074b4c97
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/2f967574-875f-4e62-a8c9-d5857a371b9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1063864a04382cc76452ffd66c096b6128e9b22de44169c7460febb02ed9be5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments