MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
SHA3-384 hash: f3914f65d2211ec9b78b02ff8cbfac91c8c25fe0fc4b963c7c56e0ba165c55387cedb9d1632ffb0a21c0a3045d98e3f4
SHA1 hash: 26e7916e14c62f1351955131eb77c1e1072e5706
MD5 hash: 48afd1f2e1c80cb7ba09ffa901e75617
humanhash: sodium-undress-iowa-diet
File name:48afd1f2e1c80cb7ba09ffa901e75617
Download: download sample
Signature DBatLoader
Create hunting rule
File size:808'960 bytes
First seen:2021-12-03 10:50:51 UTC
Last seen:2021-12-03 12:44:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 736a08351cbcd8a9092505e560d10910 (2 x Formbook, 1 x DBatLoader)
ssdeep 12288:fIFljVcvVpFbFnH7WTgZtLGTY54m8Bz+FFiWAygV8BcFcePyaW:fIz6pFb1HZSc54m8Bz+viWAy68Cbm
Threatray 12'048 similar samples on MalwareBazaar
TLSH T1C6059EB27AD06D73C4AB1D79CC57BFA8B8363E211E96758939F468C81F343423A1A453
File icon (PE):PE icon
dhash icon b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 DBatLoader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9001.xlsx
Verdict:
Malicious activity
Analysis date:
2021-12-03 09:47:41 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/8c383e97-ef14-4081-9255-ce1f08a28e37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211009/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.9515.19902.11742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/651/overview
Behaviour
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
zusy
Link:
https://www.filescan.io/uploads/61a9f698fa72c81b5b093f14/reports/7f08141b-f885-4cc3-affe-4f035356bb3a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f89d3672-b9b5-483d-9bdb-4a1e0575e0b0
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900807
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533282 Sample: mIGDBMK7uK Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 5 other signatures 2->67 9 mIGDBMK7uK.exe 1 17 2->9         started        process3 dnsIp4 45 oqpejw.am.files.1drv.com 9->45 47 onedrive.live.com 9->47 49 am-files.fe.1drv.com 9->49 31 C:\Users\user\Rethlvww.exe, PE32 9->31 dropped 69 Drops PE files to the user root directory 9->69 71 Modifies the context of a thread in another process (thread injection) 9->71 73 Maps a DLL or memory area into another process 9->73 75 3 other signatures 9->75 14 explorer.exe 2 9->14 injected file5 signatures6 process7 signatures8 77 Uses ipconfig to lookup or modify the Windows network settings 14->77 17 ipconfig.exe 14->17         started        20 Rethlvww.exe 15 14->20         started        23 Rethlvww.exe 15 14->23         started        process9 dnsIp10 51 Self deletion via cmd delete 17->51 53 Modifies the context of a thread in another process (thread injection) 17->53 55 Maps a DLL or memory area into another process 17->55 25 cmd.exe 1 17->25         started        27 explorer.exe 146 17->27         started        33 192.168.2.1 unknown unknown 20->33 35 oqpejw.am.files.1drv.com 20->35 43 2 other IPs or domains 20->43 57 Multi AV Scanner detection for dropped file 20->57 59 Tries to detect virtualization through RDTSC time measurements 20->59 37 oqpejw.am.files.1drv.com 23->37 39 onedrive.live.com 23->39 41 am-files.fe.1drv.com 23->41 signatures11 process12 process13 29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 07:37:24 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2c81bc76bb2b34fc085a6ff0beb19fda2b1e400ad67341f55185b8d8b7351643
DBatLoader
4c6f60ba070864a86dceaa5785b1dceb395cbe4667b9c539bc0675411b4e16a9
DBatLoader
5f5195f363ef21135a5b5298c2a3576bd03125eec094d769b25296eb0a2605b9
DBatLoader
667e8635796cd94ca4161f15f33e8c9d837c7c35a25d583e4f978ad76d9b86f8
DBatLoader
8ca2107e19d721b560f7e76c4a7ccb03869a24f478dc710159341ddc170e1741
DBatLoader
b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
DBatLoader
ba10b4ebe4ae3556a1320c7a9b8cb14da16042061c33f1ded73c193cbac8f346
DBatLoader
bc42c1e528e70d0f4152e78278ed1a0e4bacf4cab8bb21da9ea8f99a48676355
DBatLoader
bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6
DBatLoader
dce5f044b1f4396f33c3574667169dcbdeb3aebb037c9f53d7a8c38e095f576d
DBatLoader
+ 12'038 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211203-mxtnnabbc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Unpacked files
SH256 hash:
68ae5ffe5ad2069a531d80461d6f5ad6c210d0a19075a193894b95392827bec3
MD5 hash:
2cdfa8240841b03c9e440fbecf1ab6a8
SHA1 hash:
5f11ffeb002745eab78b1432e49adf6caf76286a
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/c54c3502-e9ce-4d5a-beb4-abecf889e664/
Parent samples :
6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8
7ef8b67819945bc8f480ca064b5e3f5a330b6744d47d24b5d1c0214ca65724a3
d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
a6a14f198c4aecd3c93a2e2dbecefb7f56643c231fc6eb685c5006eb825c591d
SH256 hash:
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
MD5 hash:
48afd1f2e1c80cb7ba09ffa901e75617
SHA1 hash:
26e7916e14c62f1351955131eb77c1e1072e5706
Link:
https://www.unpac.me/results/c54c3502-e9ce-4d5a-beb4-abecf889e664/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1a77fe43c21c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe 1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1845908/
  
URLhaus
https://urlhaus.abuse.ch/url/1845227/
  
URLhaus
https://urlhaus.abuse.ch/url/1847975/
Cape
Cape
https://www.capesandbox.com/analysis/211009/

Comments


Avatar
zbet commented on 2021-12-03 10:50:52 UTC

url : hxxp://13.113.149.209/9001/bonsoo.exe