MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a
SHA3-384 hash:	f9a037eefdec1fe3a697d484db6b93ba6e10851d6ccf6b9ecebfe703f2bc9b3c07950a413125d6737b6784589f22670f
SHA1 hash:	5b472b6307eb21675d4fb6865d0f29f586961816
MD5 hash:	70a63877732aef4fb8309f60e1081725
humanhash:	finch-beryllium-bulldog-monkey
File name:	19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'053'184 bytes
First seen:	2022-12-07 14:20:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	792178d34a808a8476c3424485de2766 (1 x ModiLoader, 1 x DBatLoader)
ssdeep	12288:J1hUaCeWj1PeFuwZFADqT8aZRC5osNOufMLOZnDv+T:JUv1GbaLWRC9NOuf8N
TLSH	T1F4259F62A2A08877C0322678DD27C774583ABE213F24A54617F53E0A7F7BE91393615F
TrID	68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13097/50/3) 0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1986013121d9c969 (1 x ModiLoader, 1 x Formbook, 1 x DBatLoader)
Reporter	adrian__luca
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a

Verdict:

Malicious activity

Analysis date:

2022-12-07 14:21:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eae073dc-f2d2-4121-87e5-4b93d5ab4f31

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/344010/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.11869.1438.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Connecting to a non-recommended domain

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/6390a1519a505ad9423de192/reports/d661f2ce-9ea4-4a27-bf07-4ecb6c7b80d6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9904abf8-6d74-4fc1-927d-1b55ce4c25ec

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1129988

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-11-15 05:36:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhp3qyxl5mlu4ojgx77kmqrerpj3it7abdlc6iqvxvkbskiciuna._file

Verdict:

malicious

Label(s):

remcos

Result

Malware family:

remcos

Score:

10/10

Tags:

family:modiloader family:remcos botnet:remotehost persistence rat trojan

Link:

https://tria.ge/reports/221207-rnz7asac6s/

Behaviour

Enumerates system info in registry

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

ModiLoader Second Stage

ModiLoader, DBatLoader

Remcos

Malware Config

C2 Extraction:

dansa.duckdns.org:2555

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a7c9f30b-5c9d-481a-a857-d8b6e842a614

Unpacked files

SH256 hash:

1494a33fa85c9b609208c2e736a0c590c92dd5d79a3f509c494f682ee2d484e7

MD5 hash:

0bcecb06ccc102834b83ea842fdd14b8

SHA1 hash:

d6b3de267f00247a22f6f6a445b1d2050ff83535

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/7a17e13f-8138-436e-8ffd-374724d55c81/

Parent samples :

2849d370b64fa3eb3cb21ab9a187c80f1b93ad00292cf1a4e8f604759891a784
29944768d8d93078ee98c57fd67476e8e24dc7c86d727f2161cd97c3110e000d
765372380d835862f3098f02651cd0b10925fbe2af78d4c55031a9d311a02c45
034c4dc5c694755d9ad90526bff5e54caaa1bef51e579a8deda6f66c70caf76a
bb472659fae10a9d6b5396aa6bd416183a5b389ffcd0c98e90e47010a7be6f60
2429599075a40fa9c6292d8539e08aeb0915c021a3a8011803a3ba9c16e92ae4
156b6bacda73c72c39b0f074f77bbf9bcfb4d26073d6b6c50db29ac126dacc48
3ec75aa62228c2043c7834516a087d14fb0ff1cf89a060edb10cbd3e296e3fc4
dc3f64f01b34de10c06e4f6f9a00e0d6d3213e5d7d3b13df5219287d4b0ec1a8
f427c71c5ba96a77ef1dd5d6759008b1eb76b633e2aca03d3d3b3257b0ef45c0
fe99fa21fce81c6942e8afbc5e77343d0e0ae7c99aa900a39fd5a01cfb4c3c2d
0154435a9ca1ab793fb98c95b9fc1cef9b64cb6e54e7b0af6cc358018476ee11
19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a

SH256 hash:

19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a

MD5 hash:

70a63877732aef4fb8309f60e1081725

SHA1 hash:

5b472b6307eb21675d4fb6865d0f29f586961816

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/7a17e13f-8138-436e-8ffd-374724d55c81/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19dfb862ebeb174e3926bffea642248bd3b44fe008d62f2215bd54192902451a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344010/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample