MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07
SHA3-384 hash: 4b54d768b6f1c75447dc0d3a9f8b5f7148306be619a4ff06939af7cd091edf513222e47a94d9119069c8da37b7dbdf7f
SHA1 hash: 27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc
MD5 hash: 9b2881f035d44765d0d5e27c542a1c62
humanhash: gee-angel-uniform-east
File name:9b2881f035d44765d0d5e27c542a1c62
Download: download sample
Signature DBatLoader
Create hunting rule
File size:830'976 bytes
First seen:2021-10-08 03:02:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 384487a869f88e6d61619b7a3f81e432 (1 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:LJNzf5G/0os4Hn6hgF8VCJ3fj9F4in4uq8Sk:vhfos4Hn8dVU3fxF4in4t8Sk
Threatray 814 similar samples on MalwareBazaar
TLSH T1D6056D7596F589B6C69326F1AC2F96980712FD40382446CB74ECF65C39327E53B3A08B
File icon (PE):PE icon
dhash icon 616110152b2b5130 (12 x RemcosRAT, 5 x Formbook, 4 x BitRAT)
Reporter zbetcheckin
Tags:32 DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://ailsom.ac.ug/cc.exe
Verdict:
No threats detected
Analysis date:
2021-10-07 00:44:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c784897-2369-445c-8aa2-5effe7d8379b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195994/
Detection(s):
Win.Trojan.Remcos-9897068-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive greyware keylogger packed remcos virus zusy
Link:
https://www.filescan.io/uploads/615fb4e898a6280f39342a15/reports/0a954661-ba2c-493d-a476-d3e831db32c5/overview
Malware family:
Remcos RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f587a658-d844-44ba-b529-008d40f77e36
Result
Threat name:
Clipboard Hijacker DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866789
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499214 Sample: u4vXf6jibw Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 3 other signatures 2->69 8 u4vXf6jibw.exe 19 2->8         started        12 fodhelper.exe 13 2->12         started        14 fodhelper.exe 13 2->14         started        16 fodhelper.exe 13 2->16         started        process3 dnsIp4 55 cdn.discordapp.com 162.159.133.233, 443, 49775, 49776 CLOUDFLARENETUS United States 8->55 57 192.168.2.1 unknown unknown 8->57 71 Detected unpacking (changes PE section rights) 8->71 73 Detected unpacking (overwrites its own PE header) 8->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 8->75 77 Contains functionality to compare user and computer (likely to detect sandboxes) 8->77 18 u4vXf6jibw.exe 3 8->18         started        21 cmd.exe 1 8->21         started        23 cmd.exe 1 8->23         started        59 162.159.129.233, 443, 49777, 49828 CLOUDFLARENETUS United States 12->59 79 Antivirus detection for dropped file 12->79 81 Multi AV Scanner detection for dropped file 12->81 83 Injects a PE file into a foreign processes 12->83 25 fodhelper.exe 12->25         started        61 162.159.135.233, 443, 49780 CLOUDFLARENETUS United States 14->61 27 fodhelper.exe 14->27         started        29 fodhelper.exe 16->29         started        signatures5 process6 file7 51 C:\Users\user\AppData\...\fodhelper.exe, PE32 18->51 dropped 53 C:\Users\...\fodhelper.exe:Zone.Identifier, ASCII 18->53 dropped 31 schtasks.exe 1 18->31         started        33 reg.exe 1 21->33         started        35 conhost.exe 21->35         started        37 cmd.exe 1 23->37         started        39 conhost.exe 23->39         started        41 schtasks.exe 1 25->41         started        process8 process9 43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 37->47         started        49 conhost.exe 41->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07/
Threat name:
Win32.Trojan.Rescoms
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 11:48:44 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=guvec3ypjbueyjuus2htouwrdkmluvfx45zz2l4r2g2jpauvjmdq._file
Verdict:
malicious
Similar samples:
026668d9855f0c4aac1cb86f163e6e28569a5a4d53d0bde93ac9880a90a8225c
DBatLoader
45cbfcaef7666a834e2d71b743847e5c3eb024d3abe6d897fc81de60903de41c
DBatLoader
5c175aad872d219fa23de0c83ea085fbdca8d76601167089b4e55ee66d520276
DBatLoader
836a211bf7485ac9187eb1da2f8658070ccd27533c83c60976eac54d952bfc44
DBatLoader
ad9f923641c74fc714114423f52d1ef7d1de87e5c40c46377f2718532c0848ae
DBatLoader
c84c8a5d9ea1dbf1b5af8d75cd100faadc54a5a83ab952e1ba03068d9287b32c
DBatLoader
cea073b0df1f1c1d964c4acb6755b6002976c05a4e9a059ca7f0d26da84ecb35
DBatLoader
f096e7be6faad03bb6da7e29e30ca53031fad96265d6bfbf131a042a9d1d5b3a
DBatLoader
f76c77ec8ce93ed76e97e714bb04a010ec289f3a08c321e95ac09c4f4285b2c5
DBatLoader
f79690a1d55d2a07ff407ca6a7e74dfc8097d9c63d6fa59adc2e03c73d39290b
DBatLoader
+ 804 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211008-dj2bxadba3/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07
MD5 hash:
9b2881f035d44765d0d5e27c542a1c62
SHA1 hash:
27c567657f1e41fe9e3d8d46bc6ae5243fa3d0bc
Link:
https://www.unpac.me/results/8d9d989d-a802-4980-812f-32606f2daff6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe 352a416f0f48684c2694968f3752d11a98ba54b7e7739d2f91d1b49782954b07

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
Cape
Cape
https://www.capesandbox.com/analysis/195994/

Comments


Avatar
zbet commented on 2021-10-08 03:02:36 UTC

url : hxxp://185.215.113.77/cc.exe