MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34
SHA3-384 hash: 535a9ad69e74a517b075d888cdef660ee32d93e29a1c391a628f594590bc93854f0cca94442343413547e403c11e6b9e
SHA1 hash: db9a3572f3f41a7b130d46035546f86979efa07b
MD5 hash: 6eaa9827d1492cf9af39bfbd16d3c542
humanhash: fifteen-vermont-nitrogen-whiskey
File name:DI-Water Treatment Pre-qualification Questionnaire,XLSX.JS
Download: download sample
Signature DBatLoader
Create hunting rule
File size:17'217'265 bytes
First seen:2025-06-10 16:45:59 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 1536:jTCh2ZNqQ1NQAP8as+6B2YZN5fBb0PuadhuQu:TZNqQ1NQ9acB2+b0PuchuQu
Threatray 1'168 similar samples on MalwareBazaar
TLSH T17007A75B3DF1948A229819E1EF234DF91E35EA79CCEE6C8DFAD4C10C251C6B1908697C
Magika javascript
Reporter smica83
Tags:DBatLoader HUN js ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684861338bd5d68a12e78f1b
Tags:
autorun delphi emotet
Verdict:
Suspicious
Labled as:
JS/Agent.CZB
Link:
https://www.hybrid-analysis.com/sample/121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1711265
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found hidden mapped module (file has been removed from disk)
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Remcos
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1711265 Sample: DI-Water Treatment Pre-qual... Startdate: 10/06/2025 Architecture: WINDOWS Score: 100 65 steadypressure.duckdns.org 2->65 67 gohardorgohome.duckdns.org 2->67 69 geoplugin.net 2->69 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 87 12 other signatures 2->87 9 wscript.exe 1 2 2->9         started        12 rundll32.exe 3 2->12         started        signatures3 85 Uses dynamic DNS services 67->85 process4 signatures5 105 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->105 14 HEO.PIF 9 9->14         started        18 Dqzrjjao.PIF 12->18         started        process6 file7 61 C:\Users\user\Links\oajjrzqD.pif, PE32 14->61 dropped 63 C:\Users\user\Links\Dqzrjjao.PIF, PE32 14->63 dropped 113 Drops PE files with a suspicious file extension 14->113 115 Writes to foreign memory regions 14->115 117 Allocates memory in foreign processes 14->117 119 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->119 20 oajjrzqD.pif 2 1 14->20         started        24 cmd.exe 1 14->24         started        26 cmd.exe 1 14->26         started        28 cmd.exe 1 14->28         started        121 Sample uses process hollowing technique 18->121 123 Allocates many large memory junks 18->123 30 oajjrzqD.pif 3 16 18->30         started        signatures8 process9 dnsIp10 53 C:\Users\user\AppData\Local\Temp\TH3A39.tmp, PE32 20->53 dropped 89 Contains functionality to bypass UAC (CMSTPLUA) 20->89 91 Detected unpacking (changes PE section rights) 20->91 93 Detected Remcos RAT 20->93 103 7 other signatures 20->103 33 iexplore.exe 20->33         started        95 Uses ping.exe to sleep 24->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 24->97 99 Uses ping.exe to check the status of other devices and networks 24->99 35 conhost.exe 24->35         started        37 PING.EXE 1 26->37         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 schtasks.exe 1 28->44         started        73 gohardorgohome.duckdns.org 192.169.69.26, 49691, 5200 WOWUS United States 30->73 75 steadypressure.duckdns.org 194.59.31.87, 2404, 49692, 49693 COMBAHTONcombahtonGmbHDE Germany 30->75 77 geoplugin.net 178.237.33.50, 49695, 80 ATOM86-ASATOM86NL Netherlands 30->77 55 C:\Users\user\AppData\Local\Temp\TH59B9.tmp, MS-DOS 30->55 dropped 57 C:\Users\user\AppData\Local\Temp\TH594B.tmp, MS-DOS 30->57 dropped 59 C:\Users\user\AppData\Local\Temp\TH590B.tmp, PE32 30->59 dropped 101 Maps a DLL or memory area into another process 30->101 46 svchost.exe 1 30->46         started        49 svchost.exe 30->49         started        51 svchost.exe 2 30->51         started        file11 signatures12 process13 dnsIp14 71 127.0.0.1 unknown unknown 37->71 107 Tries to steal Instant Messenger accounts or passwords 46->107 109 Tries to steal Mail credentials (via file / registry access) 46->109 111 Tries to harvest and steal browser information (history, passwords, etc) 49->111 signatures15
Score:
89%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cipvkye5ss24pq7awzwo4hkxwf2chbcs5pa67wizh3bvcpctdu2a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
remcos
Create hunting rule
Similar samples:
121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34
DBatLoader
247d6d1179ccbf509dc97a8cc40533f386c90104be00aae10629f2ad962a50a6
DBatLoader
506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6
DBatLoader
581839491509f10044d68d1c5695a489a317a332517d7b4d640fea83096bad81
DBatLoader
936e5340ad0a95ee79e17b489f85c661bcd73b5000c5d02c65e6ddba2943a2cd
DBatLoader
c20219dd7ad8a241adb5a654604a74ad081197646ae3fa373ea54f40bebd9874
DBatLoader
ecd6819d5dbfda11e65380a6fc01db1714ccb8d8ab271c18e3ecd6eed04722b4
DBatLoader
error
DBatLoader
+ 1'158 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250610-t96bjs1lx7/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DBatLoader

rar d5a6e410ba8ea13b3229888c07a91746538c47b2c26fefd79b500833fa2da1de

DBatLoader

Java Script (JS) js 121f55609d94b5c7c3e0b66cee1d57b174238452ebc1efd9193ec3513c531d34

(this sample)

  
Dropped by
MD5 85ad954eb055df716df6ec47c8100ce0
  
Dropped by
SHA256 d5a6e410ba8ea13b3229888c07a91746538c47b2c26fefd79b500833fa2da1de

Comments