MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291
SHA3-384 hash:	546050e335755504fbad3251747880062d8161b88e2eb91a2831909160b6b8ac6861cfcf7e8c0ccc1caeba22e6ff8dcf
SHA1 hash:	8f7ab83a90ad9ccfe9b8e046853efdee8da5a4e1
MD5 hash:	34562a81ee08af32bd695919af94c833
humanhash:	batman-bakerloo-ohio-mountain
File name:	fil.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'026'560 bytes
First seen:	2022-01-19 13:17:31 UTC
Last seen:	2022-01-19 19:21:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9277af176d806a0016d6f2aea1e276c8 (2 x Formbook, 1 x DBatLoader)
ssdeep	24576:xx5RK+onXkmS7OR6gPSshzLnDyXranXKT7vMGe:xx5M+Sbos9LDg
Threatray	8 similar samples on MalwareBazaar
TLSH	T1E025AE23F1D08833D0771A784C1BA7E95926BE102E2C798B7BE47E0C5E366617539E87
File icon (PE):
dhash icon	7cf6b6aa8ed8e8b4 (18 x Formbook, 8 x DBatLoader, 7 x AveMariaRAT)
Reporter	JAMESWT_WT
Tags:	20_51_217_113 DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SPAM.zip

Verdict:

Malicious activity

Analysis date:

2022-01-19 13:19:49 UTC

Tags:

opendir loader trojan stealer rat avemaria

Link:

https://app.any.run/tasks/c1cb1c82-3ea0-485d-ab55-95df86382211

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/220623/

Detection(s):

PUA.Win.Adware.Dealply-6528161-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file in the system32 subdirectories

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a file

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4740/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe keylogger packed remcos replace.exe strictor

Link:

https://www.filescan.io/uploads/61e80f910f8c757253cc7d28/reports/f03d7134-4915-404f-95eb-1131e9d69039/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a0cfc83-4afb-46f1-a519-500ecc28dc94

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/923472

Signature

Detected unpacking (overwrites its own PE header)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2022-01-19 13:18:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqbr4wwqbjj4ae4oybpdmbczpgusbx5l53lhkeusywnwswxyakiq._file

Verdict:

malicious

DBatLoader

34400bb7662a1aa0865f6ec06892fff142dd3ff8d09464141f75a96a42724493

DBatLoader

71cf991b9060d1fcefd467162ecfe99c89c47da31d29489e299f7bec73d56a83

DBatLoader

8865c82943ba3a6479fca40222a730e22e3d1cd279c6c6e0915c5c47f893636a

DBatLoader

a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898

DBatLoader

b8ff5642173ea1664b856f47468ebf4778be3154b7b0a6bfa6a0950f51973c69

DBatLoader

fccbac4760c07819a29dbf1df5d06aa8de89f34cf41b77913e6c2d3fbe578060

DBatLoader

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220119-qjyx1aaban/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

178ab3315a2bc29e61be0eb6b83970cf622588ca90ce0905e6c2138630163905

MD5 hash:

8f8384a01bbffb026083df6001364525

SHA1 hash:

6c448d033354841722b7c2807f0ee9e9831ddbe4

Detections:

win_dbatloader_w0

Link:

https://www.unpac.me/results/f7918592-449d-4040-810c-afbc9248d21f/

Parent samples :

5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291
a7017af2c60c1c5bc06d07f88e12d3b471a8787e233969d92ac6048d303cd682
1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291
6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2
69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e
112bdfee4547b7d7d8cb4fdc7a47021a17e164441ca10f4177bcf9980a46d89c

SH256 hash:

1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291

MD5 hash:

34562a81ee08af32bd695919af94c833

SHA1 hash:

8f7ab83a90ad9ccfe9b8e046853efdee8da5a4e1

Link:

https://www.unpac.me/results/f7918592-449d-4040-810c-afbc9248d21f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

exe 1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291

(this sample)

Cape

https://www.capesandbox.com/analysis/220623/

URLhaus

https://urlhaus.abuse.ch/url/1989792/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample