MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
SHA3-384 hash: 6c17573e91228a951f13f4990200ca74f335d2960a3ec97b7bddaef879138e9442bcb68a59fafd6a604859a1717af85a
SHA1 hash: e4c27b6bb8545a1d4f30c9ea043967eb7cdf4718
MD5 hash: 46b33a0a89c86698bf23b9dad5ab03d9
humanhash: nuts-march-nebraska-colorado
File name:REQUIRED-ORDER-REFERENCE-WITH-COMPANY-DETAILS.cmd
Download: download sample
Signature DBatLoader
Create hunting rule
File size:5'254'521 bytes
First seen:2025-02-17 14:30:38 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/x-msdos-batch
ssdeep 49152:Ez4ljOq3n/UB+88M2S7oSty0p6vm6rsO6z4K7B4/CWD+YHDZrK:S
Threatray 10 similar samples on MalwareBazaar
TLSH T1FD3652EF3EED224FBB1123EE355FA95D0A26EFB017E12FD815C61598681510F9884C8B
Magika batch
Reporter JAMESWT_WT
Tags:cmd DBatLoader MassLogger NEOFX Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b3496aa0fd713c335b7224
Tags:
emotet shell sage blic
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
extrac32 lolbin masquerade
Link:
https://www.filescan.io/uploads/67b34830c2f1c1c7a05a52a1/reports/841f797e-0658-48c3-bb8d-3cba9005c531/overview
Verdict:
Malicious
Labled as:
BAT/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
Result
Verdict:
UNKNOWN
Result
Threat name:
DBatLoader, MassLogger RAT, PureLog Stea
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1617148
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Registers a new ROOT certificate
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617148 Sample: REQUIRED-ORDER-REFERENCE-WI... Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 77 reallyfreegeoip.org 2->77 79 lwaziacademy.com 2->79 81 2 other IPs or domains 2->81 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Multi AV Scanner detection for dropped file 2->97 101 14 other signatures 2->101 10 cmd.exe 1 2->10         started        signatures3 99 Tries to detect the country of the analysis system (by using the IP) 77->99 process4 process5 12 rdha.pif 1 10->12         started        14 alpha.pif 1 10->14         started        17 expha.pif 1 10->17         started        20 7 other processes 10->20 file6 22 ANYDESK.PIF 6 12->22         started        119 Uses ping.exe to sleep 14->119 121 Uses ping.exe to check the status of other devices and networks 14->121 26 ghf.pif 3 2 14->26         started        51 C:\Users\Public\alpha.pif, PE32+ 17->51 dropped 123 Drops PE files to the user root directory 17->123 125 Drops PE files with a suspicious file extension 17->125 127 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 17->127 129 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 17->129 53 C:\Users\Public\rdha.pif, PE32+ 20->53 dropped 55 C:\Users\Public\ghf.pif, PE32+ 20->55 dropped 57 C:\Users\Public\expha.pif, PE32+ 20->57 dropped 28 PING.EXE 1 20->28         started        31 ghf.pif 2 20->31         started        signatures7 process8 dnsIp9 59 C:\Windows \SysWOW64\svchost.pif, PE32+ 22->59 dropped 61 C:\Windows \SysWOW6461ETUTILS.dll, PE32+ 22->61 dropped 63 C:\Users\Public\Libraries\fxvapowR.pif, PE32 22->63 dropped 65 C:\Users\Public\RwopavxfF.cmd, DOS 22->65 dropped 103 Drops PE files with a suspicious file extension 22->103 105 Writes to foreign memory regions 22->105 107 Allocates memory in foreign processes 22->107 113 3 other signatures 22->113 33 fxvapowR.pif 15 2 22->33         started        37 cmd.exe 1 22->37         started        39 cmd.exe 3 22->39         started        109 Registers a new ROOT certificate 26->109 111 Drops PE files to the user root directory 26->111 83 127.0.0.1 unknown unknown 28->83 67 C:\Users\Public\ANYDESK.PIF, PE32 31->67 dropped file10 signatures11 process12 dnsIp13 71 checkip.dyndns.com 132.226.8.169, 49731, 80 UTMEMUS United States 33->71 73 lwaziacademy.com 41.185.8.252, 587, 65254 GridhostZA South Africa 33->73 75 reallyfreegeoip.org 104.21.64.1, 443, 49732 CLOUDFLARENETUS United States 33->75 85 Detected unpacking (changes PE section rights) 33->85 87 Detected unpacking (overwrites its own PE header) 33->87 89 Tries to steal Mail credentials (via file / registry access) 33->89 91 Tries to harvest and steal browser information (history, passwords, etc) 33->91 41 extrac32.exe 37->41         started        45 conhost.exe 37->45         started        47 ndpha.pif 37->47         started        49 conhost.exe 39->49         started        signatures14 process15 file16 69 C:\Users\Public\ndpha.pif, PE32 41->69 dropped 115 Drops PE files to the user root directory 41->115 117 Drops PE files with a suspicious file extension 41->117 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-02-17 14:28:36 UTC
File Type:
Text
Extracted files:
1
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=doju3tgicsqnkjepunbfn4ms7rxjppjsfyryo26fy5i2child3ia._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
unknown_loader_001
Create hunting rule
Similar samples:
1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
DBatLoader
3f7d4827bfbe25072981dbe089ca358e317f42218d654cf31486cdf9598c16be
DBatLoader
7f4f4ef2223cbbb0414aa57e69f04a88315727dc1ce91ca24e6d27bf6f936ef1
DBatLoader
a8ad0cb7c6c4d332bc50ca8af649af8877555a79e0d4d1df3cad1ea68acd26fb
DBatLoader
b53b26656933d4ccf3c6665d5ca45ea9e9db1463bd96aa1c0a372b658db23574
DBatLoader
error
DBatLoader
f72ebfe6f11291393acec156f0f73b1eb5abf74761d5de8dd7b55839542c56af
DBatLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader adware collection discovery persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/250217-rvqanszlbn/
Behaviour
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Installs/modifies Browser Helper Object
Looks up external IP address via web service
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Boot or Logon Autostart Execution: Active Setup
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_DbatLoader
Create hunting rule
Author:NDA0E
Description:Detects base64 and hex encoded MZ header used by DbatLoader
Rule name:dbatloader_bat_v2
Create hunting rule
Author:RandomMalware
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments