MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe
SHA3-384 hash: 468f4d275fd3651eb77e7edc26684172869ea955caa195fb18b49257ddf6825fe75b401f4d280f59d25a8084f353f6f5
SHA1 hash: 4cb8d12b7c97e6d37ca852049c4f69aba19517b7
MD5 hash: 1cd2cd9b386688c2dc50b4c979a66d42
humanhash: colorado-pip-fifteen-island
File name:rSripipat_pdf.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'589'248 bytes
First seen:2025-03-04 03:00:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ece5c354e731a6e7473f3666b294405 (1 x DBatLoader)
ssdeep 24576:fbpmw7pz/HaOOhunQ+lmVOrbutK4Kod01MLQfoKxCQouCMX0CrEBF+hl:fV7MutBrypdaMLQAKoQrCO0PBF+T
Threatray 30 similar samples on MalwareBazaar
TLSH T12375AC23B39C843BD36205FBDA09F19C1419EA3C271D680536856B88FAA73FC77651E6
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 6c7212f0cc696116 (3 x DBatLoader, 2 x RemcosRAT)
Reporter FXOLabs
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
472
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rSripipat_pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-03-04 03:42:36 UTC
Tags:
delphi dbatloader loader stealer evasion
Link:
https://app.any.run/tasks/cf502d9a-9fc1-4b04-a615-13624a8bc07f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c66d4fc8d04e92a4bece3b
Tags:
underscore delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP GET request
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger masquerade obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67c66cc83c5f644bd9417a0f/reports/02f537cc-8bfb-4f76-8648-b378494ac3db/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5af2a0b3-6bb3-40e8-a5a6-d005dc918292
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1628752
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628752 Sample: rSripipat_pdf.exe Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 42 api.telegram.org 2->42 44 showip.net 2->44 56 Suricata IDS alerts for network traffic 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for submitted file 2->60 64 7 other signatures 2->64 8 rSripipat_pdf.exe 1 8 2->8         started        12 Pzzihsps.PIF 2->12         started        14 Pzzihsps.PIF 2->14         started        signatures3 62 Uses the Telegram API (likely for C&C communication) 42->62 process4 file5 32 C:\Users\Public\Libraries\spshizzP.pif, PE32 8->32 dropped 34 C:\Users\Public\Libraries\Pzzihsps.PIF, PE32 8->34 dropped 36 C:\Users\Public\Pzzihsps.url, MS 8->36 dropped 66 Drops PE files with a suspicious file extension 8->66 68 Writes to foreign memory regions 8->68 70 Allocates memory in foreign processes 8->70 72 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->72 16 spshizzP.pif 49 8->16         started        20 cmd.exe 2 8->20         started        22 cmd.exe 1 8->22         started        74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 78 Sample uses process hollowing technique 12->78 24 spshizzP.pif 44 12->24         started        26 spshizzP.pif 14->26         started        signatures6 process7 dnsIp8 38 api.telegram.org 149.154.167.220, 443, 49746, 49808 TELEGRAMRU United Kingdom 16->38 40 showip.net 162.55.60.2, 49704, 49740, 49788 ACPCA United States 16->40 46 Detected unpacking (changes PE section rights) 16->46 48 Detected unpacking (overwrites its own PE header) 16->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->50 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        52 Tries to steal Mail credentials (via file / registry access) 26->52 54 Tries to harvest and steal browser information (history, passwords, etc) 26->54 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-03-04 01:52:27 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhaki47yd2ewxy3yrt3iqjdrspzplesj4mmg2cnpvmemlml7327a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
093f9c611518f42f00826d8134b4860080b690678b27a469a33a529f7706b87f
DBatLoader
35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce
DBatLoader
36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7
DBatLoader
39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe
DBatLoader
49ac8f158943c6dc683a74e3129b6d3a146fb853f51ea42207038fdadaf641bd
DBatLoader
64f5db0e506c5eb6e017743991cdc6d015737d6776100b0a9906f0256e42ee6f
DBatLoader
829c1085c285c81e564ad392ff0b37622ae962a08e237a68f8960f9ddf1eac2e
DBatLoader
8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4
DBatLoader
e02d511a093b40e200d2880daa023aa48f35bd0efd3bc314bbc810beac48ca22
DBatLoader
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
DBatLoader
error
DBatLoader
+ 20 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250304-dhgwwaxwgt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Trojan.Modiloader-10042434-0
YARA:
n/a
Link:
https://app.threat.zone/submission/11707208-9870-479c-9688-916e208c44c8
Unpacked files
SH256 hash:
39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe
MD5 hash:
1cd2cd9b386688c2dc50b4c979a66d42
SHA1 hash:
4cb8d12b7c97e6d37ca852049c4f69aba19517b7
Link:
https://www.unpac.me/results/7ace6770-35d5-49a3-be03-4463068be058/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39c0a473f81e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryW
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments