MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2c2879d0a240d8b0efe364979880766b7422c12f0d2a96900a8bbb71f61f8685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
DBatLoader
Vendor detections: 8
| SHA256 hash: | 2c2879d0a240d8b0efe364979880766b7422c12f0d2a96900a8bbb71f61f8685 |
|---|---|
| SHA3-384 hash: | a32a894e900284471d1185d92d227442e86439f4464e0997ba04c8f4b948b43fea48bdc0ac36dfd4b36808fd28632330 |
| SHA1 hash: | 6b119e1a5e01a06be66f34701dbc3cccf7c2555a |
| MD5 hash: | be888c1cc87620db06c48dd85f347f9e |
| humanhash: | coffee-wyoming-network-october |
| File name: | Quotation.rar |
| Download: | download sample |
| Signature | DBatLoader |
| File size: | 1'099'312 bytes |
| First seen: | 2025-10-14 07:57:31 UTC |
| Last seen: | Never |
| File type: | rar |
| MIME type: | application/x-rar |
| ssdeep | 24576:MWonJu4e1uE219PdTPKK+0Qqm4ITP18lO7AQoBg2:cuDA5fdTyx0QwO18wQ |
| TLSH | T13835334A08A1DFB596D438361FCD8C2E87A0511696378EBFDADB9307C3527B11B039E9 |
| TrID | 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1) |
| Magika | rar |
| Reporter |  cocaman |
| Tags: | DBatLoader QUOTATION rar |
cocaman
Malicious email (T1566.001)From: "Adisa Ibrahimagic <adisa.ibrahimagic@natura-food.de>" (likely spoofed)
Received: "from natura-food.de (unknown [172.245.93.99]) "
Date: "12 Oct 2025 17:20:03 -0700"
Subject: "Request for Quotation"
Attachment: "Quotation.rar"
Intelligence
File Origin
# of uploads :
1
# of downloads :
40
Origin country :
CHFile Archive Information
This file archive contains 1 file(s), sorted by their relevance:
| File name: | Quotation.exe |
|---|---|
| File size: | 1'695'232 bytes |
| SHA256 hash: | ade2283b9bf50c48d8da2aa2d782e4b152bc13b4fc1665f665a55518d426a42a |
| MD5 hash: | ca6569d38af7047c7df4a70c97236248 |
| MIME type: | application/x-dosexec |
| Signature | DBatLoader |
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Tags:
autorun delphi emotet
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
anti-debug borland_delphi fingerprint keylogger overlay overlay packed zero
Verdict:
Malicious
Labled as:
Trojan.Downloader
Verdict:
Malicious
File Type:
rar
First seen:
2025-10-13T03:02:00Z UTC
Last seen:
2025-10-16T00:09:00Z UTC
Hits:
~10
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Rar Archive
Threat name:
Win32.Backdoor.Remcos
Status:
Malicious
First seen:
2025-10-12 22:18:47 UTC
File Type:
Binary (Archive)
Extracted files:
48
AV detection:
24 of 38 (63.16%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
modiloader
Score:
10/10
Tags:
family:modiloader collection discovery execution persistence trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Executes dropped EXE
Detected Nirsoft tools
ModiLoader Second Stage
NirSoft MailPassView
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | BobSoftMiniDelphiBoBBobSoft |
|---|---|
| Author: | malware-lu |
| Rule name: | Borland |
|---|---|
| Author: | malware-lu |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | HUNTING_SUSP_TLS_SECTION |
|---|---|
| Author: | chaosphere |
| Description: | Detect PE files with .tls section that can be used for anti-debugging |
| Reference: | Practical Malware Analysis - Chapter 16 |
| Rule name: | INDICATOR_EXE_Packed_MPress |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables built or packed with MPress PE compressor |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
| Rule name: | TeslaCryptPackedMalware |
|---|
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
DBatLoader
rar 2c2879d0a240d8b0efe364979880766b7422c12f0d2a96900a8bbb71f61f8685
(this sample)
exe Delivery method
Distributed via e-mail attachment
Dropping
DBatLoader
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.