MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca
SHA3-384 hash: 1b5e3fbd082f5aeb64f6dc3f00dd258622925a0700358ddc7733ca85015312b193d45f28b1cb034907b9f76dcf8e5166
SHA1 hash: b20d4933394e6f02381df3c15ad091e78cabd54e
MD5 hash: 99fec1ec563f7c0fb159412c342d1b0a
humanhash: stream-purple-venus-mobile
File name:Quotation details.vbs
Download: download sample
Signature DBatLoader
Create hunting rule
File size:2'137'787 bytes
First seen:2025-10-23 08:31:50 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:JgkGBj/x4LrIo4o35unpmOuDqiJYkIJR9e2AerHwuI3N5odaZ+/F/MYRsmrq+Vks:21zo4oJSwYiilRoAwt4nRsmu+V3
Threatray 2'071 similar samples on MalwareBazaar
TLSH T167A5D030DD26ED0A3FBC4A9A48DC2DD44D6C2B93821C66BC9B4873AF716D9529DDC06C
Magika vba
Reporter abuse_ch
Tags:DBatLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33860/
Detection(s):
Sanesecurity.Malware.28953.VbsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f9e8343edd081eba410acb
Tags:
delphi emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 dropper fingerprint keylogger obfuscated obfuscated packed packed
Link:
https://www.filescan.io/uploads/68f9e9f63a79800405f2abe8/reports/9f286543-4014-4c61-a2cb-bd7f18825fbe/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-21T07:16:00Z UTC
Last seen:
2025-10-23T06:18:00Z UTC
Hits:
~100
Detections:
Trojan-Dropper.JS.SDrop.sb Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan.Win32.Convagent.gen HEUR:Trojan.Script.Generic Trojan-Spy.Noon.HTTP.ServerRequest HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan.Win32.DelfInject.gen PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan-PSW.Win32.Stealer.sb
Link:
https://opentip.kaspersky.com/13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca/results?tab=lookup
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1800429
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1800429 Sample: Quotation details.vbs Startdate: 23/10/2025 Architecture: WINDOWS Score: 100 42 www.kecertp.xyz 2->42 44 www.dorvian.xyz 2->44 46 8 other IPs or domains 2->46 62 Suricata IDS alerts for network traffic 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 70 5 other signatures 2->70 12 wscript.exe 2 2->12         started        signatures3 68 Performs DNS queries to domains with low reputation 44->68 process4 file5 40 C:\Users\user\AppData\Local\Temp\x.exe, PE32 12->40 dropped 86 Benign windows process drops PE files 12->86 88 VBScript performs obfuscated calls to suspicious functions 12->88 90 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->90 16 x.exe 1 12->16         started        signatures6 process7 file8 38 C:\Users\Public\qgmaogmkF.exe, PE32 16->38 dropped 54 Drops PE files to the user root directory 16->54 56 Writes to foreign memory regions 16->56 58 Allocates memory in foreign processes 16->58 60 3 other signatures 16->60 20 qgmaogmkF.exe 16->20         started        signatures9 process10 signatures11 72 Detected unpacking (changes PE section rights) 20->72 74 Maps a DLL or memory area into another process 20->74 23 8LFlJCzSC3oi.exe 20->23 injected process12 signatures13 76 Maps a DLL or memory area into another process 23->76 26 HOSTNAME.EXE 13 23->26         started        process14 signatures15 78 Tries to steal Mail credentials (via file / registry access) 26->78 80 Tries to harvest and steal browser information (history, passwords, etc) 26->80 82 Modifies the context of a thread in another process (thread injection) 26->82 84 3 other signatures 26->84 29 5TADVXTMiA.exe 26->29 injected 32 chrome.exe 26->32         started        34 firefox.exe 26->34         started        process16 dnsIp17 48 www.dorvian.xyz 203.161.50.154, 49699, 49700, 49701 VNPT-AS-VNVNPTCorpVN Malaysia 29->48 50 kecertp.xyz 67.223.118.73, 49695, 49696, 49697 VIMRO-AS15189US United States 29->50 52 3 other IPs or domains 29->52 36 WerFault.exe 4 32->36         started        process18
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/99fec1ec563f7c0fb159412c342d1b0a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca/
Verdict:
Malicious
Threat:
Family.MODILOADER
Link:
https://tip.neiki.dev/file/13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2025-10-23 08:39:39 UTC
File Type:
Text
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=couk6dwnmhqyfu7stlrx4trq5qnt6c3ftq2accg4gjl36prtj3fa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
formbook
Create hunting rule
Similar samples:
0dfd9f9027f0f6eeb381e55a0668b5b5a146fd4310f10edceeda4454eeaab924
DBatLoader
1626575d77b31d3b8cfebf81867d2dd2da280a4b83ab74a2852bc26143ca8aef
DBatLoader
2fbff2faed784287ac85fac279c2c0348277552b46b0ffd1ca91d9a61ce8c91e
DBatLoader
51641062dd68e37a56baa728191cc6923eff3426f80d8cb6d7bf459604f22763
DBatLoader
5ee4fc645fa88cd85eddc57b9fc28733a891d0bb84a648a560264b983b9c5488
DBatLoader
89369898ebf3b91a1f28cecd38382b3f47d32e0cbde22543b1ece74c25c03eef
DBatLoader
b25b8ca9c790e8030383a0e15562726076f420e38976d4f0b5dadc6ddce2debd
DBatLoader
cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
DBatLoader
d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313
DBatLoader
ea710abc03bb6f1d7bb3045bfbbf6450e49fbaea858df1fef7563d525d708c0c
DBatLoader
error
DBatLoader
+ 2'061 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251023-kjbvkshw2b/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Formbook payload
ModiLoader Second Stage
Formbook
Formbook family
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/13a8af0ecd61e182d3f29ae37e4e30ec1b3f0b659c340108dc3257bf3e334eca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33860/

Comments