MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b8a0887d7a1d88c1ad194c81e73b31d3312d05435d595fe189a9ea06bbfe6e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b8a0887d7a1d88c1ad194c81e73b31d3312d05435d595fe189a9ea06bbfe6e2
SHA3-384 hash: 47ec74ac7edfa4f30f88c94a4a55d62ab68d825e8ab1292db755ba659e0b4ca0ce146df1d9920236120d5b09456271ef
SHA1 hash: d84b4b09af1b3c08cad9ddbf745dc3c27857a56f
MD5 hash: 3453b44b06dc190e4eccca68a8ce0cd0
humanhash: burger-glucose-cup-juliet
File name:file
Download: download sample
Signature DBatLoader
Create hunting rule
File size:596'992 bytes
First seen:2022-10-02 09:40:05 UTC
Last seen:2022-10-03 13:10:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 09c042bdee297ff19a7c3e76c0267374 (1 x DBatLoader, 1 x FormBook)
ssdeep 12288:c8WkhRLHuTnv9b/EYXrUhNV257IzYFHl6pbZe:cHcHuTnbXr/GQ4pbZe
Threatray 188 similar samples on MalwareBazaar
TLSH T183C48E26E6D18432D32315788D47DBACA81DBEA13D646C4A7BE60C4C4FB47C2386DB97
TrID 93.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.8% (.SCR) Windows screen saver (13101/52/3)
0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
0.4% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon b27171094971b296 (1 x ArkeiStealer, 1 x DBatLoader)
Reporter andretavare5
Tags:DBatLoader exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc527785675_645295113?hash=Fv1X83A04wNk6zhQ66sKZ7MBmTb8VzNtzLNDZP4HV9D&dl=GUZDONZYGU3DONI:1664703398:F9KouWR2H7aCqoagL0lZpO880Yfg4vzTzcHwhPJX3CT&api=1&no_preview=1#new

Intelligence

File Origin
# of uploads :
786
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
installer.exe
Verdict:
Malicious activity
Analysis date:
2022-10-03 03:09:50 UTC
Tags:
trojan evasion redline opendir socelars stealer loader rat
Link:
https://app.any.run/tasks/0f782c3a-ff1f-4d6a-b2e0-6795422d030c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315706/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.150270.29353.10639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the system32 subdirectories
Creating a file
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40606/overview
Behaviour
MalwareBazaar
CheckCmdLine
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e37362e-c5e4-4815-a81a-5f5e7ac74431
Result
Threat name:
DBatLoader, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081852
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected DBatLoader
Yara detected RedLine Stealer
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b8a0887d7a1d88c1ad194c81e73b31d3312d05435d595fe189a9ea06bbfe6e2/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-10-02 09:41:10 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hofarb6xuhmiygwrsteb445tduzrfucugxkzl7qytkpka25743ra._file
Verdict:
malicious
Similar samples:
1baf63a128c8adbb4598a456ddcb81b33042e06f9cdb99e51448643b6f88cc6d
DBatLoader
23cfd8c9a0984ddedc9c97cb9effaf1998bb44110a4c490924109a2f0bbbda02
DBatLoader
7889fbae0f292b70c50119b5069bb64425189c59c818336bb49c9c5638edbe03
DBatLoader
84bdcbcb4f0c101eaf448ef5c1d727590b3a35e08a9fd94cc21b500760c8d172
DBatLoader
91d68196a794e6e1212c23ab237cf1732ee2f52d4528c61c001c0fd30f3b6351
DBatLoader
a1668f4b671e72fda01c78b60d66c9fe626e4c40d89bb49581764b0dd516200c
DBatLoader
+ 178 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery spyware stealer trojan
Link:
https://tria.ge/reports/221002-lnrl9shfg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ec8756ff-8e0e-433e-9cff-ee8014f6d968
Unpacked files
SH256 hash:
3b8a0887d7a1d88c1ad194c81e73b31d3312d05435d595fe189a9ea06bbfe6e2
MD5 hash:
3453b44b06dc190e4eccca68a8ce0cd0
SHA1 hash:
d84b4b09af1b3c08cad9ddbf745dc3c27857a56f
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/4b8aee24-7e76-457d-9cb2-ed9fe565bfa7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b8a0887d7a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b8a0887d7a1d88c1ad194c81e73b31d3312d05435d595fe189a9ea06bbfe6e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/315706/

Comments