MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4
SHA3-384 hash: 1b0c14ab0d55d5c98af8b4378433412e05f860760c78f9611f6965e3b03e05ad3bf8af49d02818f9e614ecb92fd632e1
SHA1 hash: 449b576eea3278e5b83203c3d1a0b841a019a973
MD5 hash: e7fbc01f303e7ab6f5279ecf88963a26
humanhash: pip-twelve-chicken-sodium
File name:Seprrgqgdrspec.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'315'328 bytes
First seen:2023-10-26 07:10:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4498ed238a5d5d6510e036e3bb29986 (8 x DBatLoader, 1 x AgentTesla)
ssdeep 24576:bKuO345cRv/kabphVsJhfYPzyB+4Buxrhre0Qqd/0hkEBS/:bLysS24mwe0RMkEe
Threatray 3'646 similar samples on MalwareBazaar
TLSH T11255E062F25144B5F03716396C2B5F0EDF18AE2929A9291F17FD7E540F3264335AE0B2
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2a666013d6d253ac (12 x DBatLoader, 1 x AgentTesla, 1 x RemcosRAT)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Seprrgqgdrspec.exe
Verdict:
Malicious activity
Analysis date:
2023-10-26 07:18:24 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/7cbcccb7-93a5-44a7-b342-47b2576493f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456483/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.45850.32153.9700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay packed remcos
Link:
https://www.filescan.io/uploads/653a11050ca0b018516fbb5c/reports/a1477ac5-e94b-4d94-aff6-132f3db2ac68/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab326836-4132-42cf-8efa-566e12e1b72a
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332473
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332473 Sample: Seprrgqgdrspec.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 23 web.fe.1drv.com 2->23 25 phi4uq.bn.files.1drv.com 2->25 27 2 other IPs or domains 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for URL or domain 2->33 35 5 other signatures 2->35 7 Seprrgqg.PIF 2->7         started        10 Seprrgqgdrspec.exe 1 2 2->10         started        signatures3 process4 file5 37 Multi AV Scanner detection for dropped file 7->37 39 Machine Learning detection for dropped file 7->39 13 WerFault.exe 21 7->13         started        15 colorcpl.exe 2 7->15         started        21 C:\Users\Public\Libraries\Seprrgqg.PIF, PE32 10->21 dropped 41 Drops PE files with a suspicious file extension 10->41 17 WerFault.exe 21 16 10->17         started        19 SndVol.exe 10->19         started        signatures6 process7
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 08:00:16 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=geh66yfihmr24odkt7jfn3taevetgznksiz2nfcg6y2rtypwulsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0348b7181e838a339237fade5062e7670e6fdf2ccca4814ae7f97acec60cb8b2
DBatLoader
0e8a32d068ae867e5296c365c837f273bcd56c48ce93130bb501c25d8e558f39
DBatLoader
36ea5e98f9aa4987174b4edb33c937f9091f1e06fd370f7f8e66da700700539f
DBatLoader
6b390b01eb98d6376430626d51e2745f1a4f57cf89b9b6cfb81f968d44af09c8
DBatLoader
90f18e453ea2b0c1fa4d84d95499ab3bfd11db81a54caa2702cd3749f62c9dec
DBatLoader
91f1a226a3292136ecb9c39419efb66cea0fe98bcb79833e7887ed402fb442ae
DBatLoader
ac00251b8ba5b7bd219bb23bb5134a11f1215d19aaa0915e5a00d7906906b19a
DBatLoader
c6ae0cc92e8dcd2728ac13d76ec9c98b4a84d7ff78f4c2f7dbee2125e54aba56
DBatLoader
dae2da978ef889f28bb96b4b9f0519f4d04a62517bbefc55320ea8d81c70e3e8
DBatLoader
+ 3'636 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/231026-hzfscseh3z/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
752cdefa4d8dadc649befe2f82ea245047b147521bc8df82b301965034625383
MD5 hash:
29aa95c91c6cab874de1fdb3c1625040
SHA1 hash:
dcfbe9f374308358add41cc4a2de862ca47cc7b4
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/7e398dc7-2e2a-4302-9274-1149b7973627/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/7e398dc7-2e2a-4302-9274-1149b7973627/
SH256 hash:
310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4
MD5 hash:
e7fbc01f303e7ab6f5279ecf88963a26
SHA1 hash:
449b576eea3278e5b83203c3d1a0b841a019a973
Link:
https://www.unpac.me/results/7e398dc7-2e2a-4302-9274-1149b7973627/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/310fef60a83b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/456483/

Comments