MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 107f5b7d95b1d5da610d6716545e5646f0c2b60e6e26e1bd835a862c6afb3dee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 107f5b7d95b1d5da610d6716545e5646f0c2b60e6e26e1bd835a862c6afb3dee
SHA3-384 hash: 9088445864e2ad3ee7c0baa8c825e57d0805285339281f8a0a9cea4aacf4cca5837d65fb6df42d7838e8dc692dadb297
SHA1 hash: 0331bb25890d7188633716544bd4d27bf970f745
MD5 hash: 05d564f76213f94c6013e2f5202fc1b8
humanhash: illinois-april-north-delaware
File name:REF--REQUIRED--ORDER-CONFIRMATIONS.cmd
Download: download sample
Signature DBatLoader
Create hunting rule
File size:3'101'818 bytes
First seen:2025-01-30 12:03:04 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/x-msdos-batch
ssdeep 24576:Ya8rhD9oVoZdPTqp/lAGyC7lTQd5M77eaGYIcev3m0nA7RWELw2awORgyBBJaNuF:Ya8p9ooeiC7a5M77eUHz0D/h0GjLVTWG
Threatray 31 similar samples on MalwareBazaar
TLSH T17FE5A5B71DAF56871304336B97CBF5C9471BECD50B926ED410FE09E8404A36F2998A8E
Magika batch
Reporter JAMESWT_WT
Tags:cmd DBatLoader NEOFX Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.12315.24151.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b544429ae628cf42b8d0b
Tags:
delphi shell sage blic
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
extrac32 lolbin masquerade
Link:
https://www.filescan.io/uploads/679b6ab77d511d7c1faa0504/reports/ac4e60b5-a9fa-47de-9828-7a18587b78a9/overview
Verdict:
Malicious
Labled as:
BAT/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/107f5b7d95b1d5da610d6716545e5646f0c2b60e6e26e1bd835a862c6afb3dee
Result
Verdict:
MALICIOUS
Result
Threat name:
DBatLoader, MassLogger RAT, PureLog Stea
Create hunting rule
Detection:
malicious
Classification:
spre.bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1603000
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries random domain names (often used to prevent blacklisting and sinkholes)
Registers a new ROOT certificate
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603000 Sample: REF--REQUIRED--ORDER-CONFIR... Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 100 reallyfreegeoip.org 2->100 102 zlenh.biz 2->102 104 48 other IPs or domains 2->104 116 Suricata IDS alerts for network traffic 2->116 118 Found malware configuration 2->118 120 Malicious sample detected (through community Yara rule) 2->120 124 16 other signatures 2->124 10 cmd.exe 2 2->10         started        12 Lqsrhpvh.PIF 2->12         started        15 Lqsrhpvh.PIF 2->15         started        17 20 other processes 2->17 signatures3 122 Tries to detect the country of the analysis system (by using the IP) 100->122 process4 dnsIp5 20 awpha.pif 1 10->20         started        22 extrac32.exe 1 10->22         started        26 alpha.pif 1 10->26         started        36 4 other processes 10->36 156 Writes to foreign memory regions 12->156 158 Allocates memory in foreign processes 12->158 160 Sample uses process hollowing technique 12->160 162 Sample is not signed and drops a device driver 12->162 28 hvphrsqL.pif 12->28         started        30 cmd.exe 12->30         started        32 cmd.exe 12->32         started        164 Allocates many large memory junks 15->164 34 hvphrsqL.pif 15->34         started        38 2 other processes 15->38 94 yunalwv.biz 208.117.43.225, 49856, 49929, 49985 STEADFASTUS United States 17->94 96 xlfhhhm.biz 47.129.31.212, 49782, 49898, 80 ESAMARA-ASRU Canada 17->96 98 9 other IPs or domains 17->98 166 Creates files inside the volume driver (system volume information) 17->166 168 Creates files in the system32 config directory 17->168 170 Contains functionality to behave differently if execute on a Russian/Kazak computer 17->170 172 Found direct / indirect Syscall (likely to bypass EDR) 17->172 signatures6 process7 file8 40 AnyDesk.pif 1 10 20->40         started        70 C:\Users\Public\awpha.pif, PE32+ 22->70 dropped 126 Drops PE files to the user root directory 22->126 128 Drops PE files with a suspicious file extension 22->128 130 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 22->130 132 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 22->132 45 phf.pif 3 2 26->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        134 Tries to steal Mail credentials (via file / registry access) 34->134 136 Tries to harvest and steal browser information (history, passwords, etc) 34->136 72 C:\Users\Public\phf.pif, PE32+ 36->72 dropped 74 C:\Users\Public\alpha.pif, PE32+ 36->74 dropped 51 phf.pif 2 36->51         started        53 conhost.exe 38->53         started        55 conhost.exe 38->55         started        signatures9 process10 dnsIp11 106 drive.usercontent.google.com 142.250.184.225, 443, 49733 GOOGLEUS United States 40->106 108 drive.google.com 142.250.186.110, 443, 49731, 49732 GOOGLEUS United States 40->108 76 C:\Windows \SysWOW64\truesight.sys, PE32+ 40->76 dropped 78 C:\Windows \SysWOW6478ETUTILS.dll, PE32+ 40->78 dropped 80 C:\Users\Public\Libraries\hvphrsqL.pif, PE32 40->80 dropped 84 7 other files (6 malicious) 40->84 dropped 138 Drops PE files with a suspicious file extension 40->138 140 Writes to foreign memory regions 40->140 142 Allocates memory in foreign processes 40->142 146 4 other signatures 40->146 57 hvphrsqL.pif 15 3 40->57         started        62 cmd.exe 3 40->62         started        64 cmd.exe 1 40->64         started        144 Registers a new ROOT certificate 45->144 82 C:\Users\Public\Libraries\AnyDesk.pif, PE32 51->82 dropped file12 signatures13 process14 dnsIp15 110 reallyfreegeoip.org 104.21.112.1, 443, 49739, 49764 CLOUDFLARENETUS United States 57->110 112 bumxkqgxu.biz 44.221.84.105, 49746, 49751, 49809 AMAZON-AESUS United States 57->112 114 7 other IPs or domains 57->114 86 C:\Windows\System32\wbengine.exe, PE32+ 57->86 dropped 88 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 57->88 dropped 90 C:\Windows\System32\vds.exe, PE32+ 57->90 dropped 92 83 other malicious files 57->92 dropped 148 Detected unpacking (changes PE section rights) 57->148 150 Detected unpacking (overwrites its own PE header) 57->150 152 Tries to steal Mail credentials (via file / registry access) 57->152 154 2 other signatures 57->154 66 conhost.exe 62->66         started        68 conhost.exe 64->68         started        file16 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/107f5b7d95b1d5da610d6716545e5646f0c2b60e6e26e1bd835a862c6afb3dee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/107f5b7d95b1d5da610d6716545e5646f0c2b60e6e26e1bd835a862c6afb3dee/
Threat name:
Script-BAT.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-01-30 10:28:23 UTC
File Type:
Text
Extracted files:
1
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cb7vw7mvwhk5uyinm4lfixswi3ymfnqonytodpmdlkdcy2x3hxxa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
expiro
Create hunting rule
Similar samples:
3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
DBatLoader
5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
DBatLoader
609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
DBatLoader
829026e0d6a6f73f3328bb4aabd5f0e3f063f000cd9d860c051b307e148395d5
DBatLoader
9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
DBatLoader
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
DBatLoader
efd64c0b88bbe45461d13b2a0acd9544218f819f4579af35b5fc92e20d5f6fa5
DBatLoader
error
DBatLoader
ff3bcc4bc70f9e6724fcc0fb36c4f57cc5956136850bd39c9581413f7c4688a9
DBatLoader
+ 21 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250130-n8kqkasmgp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/107f5b7d95b1d5da610d6716545e5646f0c2b60e6e26e1bd835a862c6afb3dee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_DbatLoader
Create hunting rule
Author:NDA0E
Description:Detects base64 and hex encoded MZ header used by DbatLoader
Rule name:dbatloader_bat_v2
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments