MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ead932e6f21814b90aed172f2df1042d0350d37326e6504b983def8cdb237e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments 1

SHA256 hash:	2ead932e6f21814b90aed172f2df1042d0350d37326e6504b983def8cdb237e7
SHA3-384 hash:	6981f9dcce8e60277d060bc98fac45c8c77ba35f0f3337dea8305ce7384c1893f2b750749391201b94c398d7622e0078
SHA1 hash:	f0269bce7d5bd6c5d5140bc9f129bac7b274f9c9
MD5 hash:	155bfea82ba48b00cda09ec732a845cc
humanhash:	robert-twelve-twelve-princess
File name:	155bfea82ba48b00cda09ec732a845cc
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	920'576 bytes
First seen:	2022-07-25 06:49:22 UTC
Last seen:	2022-07-25 08:17:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d516d5168ad28c9c6268d5dbd555a673 (3 x AveMariaRAT, 2 x RemcosRAT, 2 x DBatLoader)
ssdeep	24576:3l5YzsDC+AbbRovDGw3Ny4EYysaxtVSn52pAf2rDNtl2aCHXvbbbbbbbbbbbbbbb:3rGJ3bNSn52KNvbbbbbbbbbbbbbbbbbn
Threatray	1'172 similar samples on MalwareBazaar
TLSH	T1A1157C62F2B1DC32D4231A7E4D4A71A56C2E7F103A29F9862AE53D8C1FF964135293D3
TrID	68.5% (.OCX) Windows ActiveX control (116521/4/18) 8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4) 7.7% (.SCR) Windows screen saver (13101/52/3) 6.1% (.EXE) Win64 Executable (generic) (10523/12/4) 2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter	zbetcheckin
Tags:	32 DBatLoader exe

Intelligence

File Origin

# of uploads :

2

# of downloads :

242

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293890/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.3457.15014.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/27307/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger obfuscated packed

Link:

https://www.filescan.io/uploads/62de3d5a5c40cd8dc5ec4253/reports/c6f363ba-d579-4ff5-ae5c-8c362367c037/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d357b20e-b6ba-4ce9-888a-52e68848a258

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1040164

Signature

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ead932e6f21814b90aed172f2df1042d0350d37326e6504b983def8cdb237e7/

Threat name:

Win32.Trojan.Remcos

Status:

Malicious

First seen:

2022-07-24 16:47:00 UTC

File Type:

PE (Exe)

Extracted files:

40

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f2wzgltpegauxefo2fzpfxyqilidkdjxgjxgkbfzqppprtnsg7tq._file

Verdict:

malicious

Similar samples:

0f5dccb48bda0c9117c6c7462c3d444bd6e4c0f7a69b3383b2254aaa81365413

15aa6740e95e630a0a4547e21e9008e46f46b599aa356686fcbe4448da25560c

2ea200ef4d55ec4a99a4ef59abcdbc3f2d65e627ba8230fb44cd4e00a665b454

51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a

70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61

8d8091a9feae64d126b51f3679a838572ea9578dad2255c329c769922025160b

938520cce11835b7bd6e0727bc6ae0a1e120ca0d6878308e3dd2b4daa9157145

a251a9ff3f21abb892e860a570fd97315d0559e56a45aeec577ad8a5bed6f57b

ca004424c41afe6fc618dc6e2b77c4d8a9f367699ac3eaa045f3b40aa3f8b413

f37632331d0498e3ca7719a0e93310621bc3427bd8fec2fdd689b85be9ae5b6b

+ 1'162 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220725-hlye9ababl/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Unpacked files

SH256 hash:

e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770

MD5 hash:

0de7dbbda445e257c9169774b9a8000b

SHA1 hash:

23ab78a6fdd513f2b3877efc92a71fe7d44db0db

Link:

https://www.unpac.me/results/80f35600-d4a8-49db-9f60-9a3d6640f806/

SH256 hash:

2ead932e6f21814b90aed172f2df1042d0350d37326e6504b983def8cdb237e7

MD5 hash:

155bfea82ba48b00cda09ec732a845cc

SHA1 hash:

f0269bce7d5bd6c5d5140bc9f129bac7b274f9c9

Link:

https://www.unpac.me/results/80f35600-d4a8-49db-9f60-9a3d6640f806/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/2ead932e6f21814b90aed172f2df1042d0350d37326e6504b983def8cdb237e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 2ead932e6f21814b90aed172f2df1042d0350d37326e6504b983def8cdb237e7

(this sample)

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/293890/

URLhaus

https://urlhaus.abuse.ch/url/2260844/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-07-25 06:49:29 UTC

url : hxxp://179.43.175.187/puao/SIV-242022.exe