MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e
SHA3-384 hash: 30fb644f7d72a7dd727750a49d625db6760a50dab3c0d22b5f2ee672e8fab6b5e9e3b1dfbe0b428d0a7e0cd7541dbce3
SHA1 hash: 7e83e221d1e4b8e5e8e65d295a5ec9de91851fe2
MD5 hash: 1cee8f20bb987ee483c9341696b443ee
humanhash: rugby-virginia-sad-fillet
File name:Revised Order List.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'668'608 bytes
First seen:2025-02-18 06:42:25 UTC
Last seen:2025-02-18 07:13:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 239f1224f297019b7519500ad57d76da (2 x DBatLoader, 1 x RemcosRAT, 1 x VIPKeylogger)
ssdeep 12288:YxbY/LY4EoltnP5h9sTfPQtNCk6gaKWbMS7vlASUXY+R3qOV0JJs+:QE84EOnPNsjP6NUlwSX+R3qO
Threatray 57 similar samples on MalwareBazaar
TLSH T195755AF6B15CC5F2E01223364F46A6D958FD7E223B1B9C2A2EF47E48E939542B436113
TrID 53.5% (.EXE) InstallShield setup (43053/19/16)
17.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
13.0% (.EXE) Win64 Executable (generic) (10522/11/4)
5.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 2836b28e8e92e465 (3 x DBatLoader, 2 x DarkCloud, 2 x VIPKeylogger)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
474
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RevisedOrderList.exe
Verdict:
No threats detected
Analysis date:
2025-02-18 06:48:40 UTC
Tags:
delphi
Link:
https://app.any.run/tasks/55faf95d-b5d5-45b6-9751-baab8c44e5f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Sinowal-9756760-0
Create hunting rule

Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b42d03a0fd713c335b8778
Tags:
delphi emotet
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Labled as:
TrojanDownloader.ModiLoader_AGen
Link:
https://www.hybrid-analysis.com/sample/3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce3aeb7e-4a82-4702-9dcd-971ea6da53c5
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1617711
Signature
Allocates many large memory junks
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-02-18 06:43:15 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hce67j5hnq43nyi262b72fzkx2qcwsusmvh7wpdzz3rcduwiwspa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
DBatLoader
3f7d4827bfbe25072981dbe089ca358e317f42218d654cf31486cdf9598c16be
DBatLoader
64f5db0e506c5eb6e017743991cdc6d015737d6776100b0a9906f0256e42ee6f
DBatLoader
7f4f4ef2223cbbb0414aa57e69f04a88315727dc1ce91ca24e6d27bf6f936ef1
DBatLoader
820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
DBatLoader
829c1085c285c81e564ad392ff0b37622ae962a08e237a68f8960f9ddf1eac2e
DBatLoader
a8ad0cb7c6c4d332bc50ca8af649af8877555a79e0d4d1df3cad1ea68acd26fb
DBatLoader
b53b26656933d4ccf3c6665d5ca45ea9e9db1463bd96aa1c0a372b658db23574
DBatLoader
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
DBatLoader
error
DBatLoader
f72ebfe6f11291393acec156f0f73b1eb5abf74761d5de8dd7b55839542c56af
DBatLoader
+ 47 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/250218-hgzshszj15/
Behaviour
Program crash
System Location Discovery: System Language Discovery
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Sinowal-9756760-0
YARA:
n/a
Link:
https://app.threat.zone/submission/88b3865d-3e39-4ff7-b9ce-daf79620cf37
Unpacked files
SH256 hash:
3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e
MD5 hash:
1cee8f20bb987ee483c9341696b443ee
SHA1 hash:
7e83e221d1e4b8e5e8e65d295a5ec9de91851fe2
Link:
https://www.unpac.me/results/d2f5476e-bcf6-43ba-9c1e-12c37f44d46d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/3889efa7a76c39b6e11af683fd172abea02b4a92654ffb3c79cee221d2c8b49e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediaglu32.dll::gluQuadricDrawStyle
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments