MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471
SHA3-384 hash: d8ca327ca8562b0a38ae9ef6f5922cbd863c90dc08ec584aca3e11c3b86e12e0963181e8e32fba88577418c152c30afd
SHA1 hash: 5cbe4fe011d4c35f342199e70a9e0e5c6a56e4ae
MD5 hash: 12f4eb81b904b739d781f739b69ca683
humanhash: delaware-lion-georgia-carbon
File name:SHIPPING-DOCS.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:2'713'088 bytes
First seen:2023-11-07 18:50:40 UTC
Last seen:2023-11-07 20:27:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cd4c9aaa1a9827538687e74814589bd (10 x DBatLoader, 1 x Formbook)
ssdeep 49152:7xWIu4XYOtRwohuzcMwF5yNkr+eHlBJ/k2IDZA9RC0d3:7UIkOAxcMEyNkrzpDWe
Threatray 29 similar samples on MalwareBazaar
TLSH T19AC5E132E25124F3D272593DEF1A16D4183DBA722D1C6743AFA73D6C0E346B47A162B2
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 74f4d4d4cc8cdcc4 (12 x DBatLoader, 1 x Formbook)
Reporter lowmal3
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.5892.11593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control greyware keylogger lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/654a87173b0c3d6626073085/reports/b48efa2a-38e5-4013-8573-503fe70e52a6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IEInspector Software
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f6338f1f-ec93-4b3f-97a2-b9a9583d4850
Result
Threat name:
AgentTesla, DBatLoader, RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338462
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338462 Sample: SHIPPING-DOCS.exe Startdate: 07/11/2023 Architecture: WINDOWS Score: 100 71 web.fe.1drv.com 2->71 73 w0plpa.sn.files.1drv.com 2->73 75 3 other IPs or domains 2->75 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 9 other signatures 2->85 12 SHIPPING-DOCS.exe 1 8 2->12         started        16 Cqsuteei.PIF 2->16         started        18 Cqsuteei.PIF 2->18         started        signatures3 process4 file5 61 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->61 dropped 63 C:\Users\Public\Libraries\ieetusqC.pif, PE32 12->63 dropped 65 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->65 dropped 67 C:\Users\Public\Libraries\Cqsuteei.PIF, PE32 12->67 dropped 109 Drops PE files with a suspicious file extension 12->109 111 Writes to foreign memory regions 12->111 113 Allocates memory in foreign processes 12->113 20 cmd.exe 1 12->20         started        23 ieetusqC.pif 2 12->23         started        115 Multi AV Scanner detection for dropped file 16->115 26 ieetusqC.pif 16->26         started        28 ieetusqC.pif 18->28         started        signatures6 process7 dnsIp8 87 Uses ping.exe to sleep 20->87 89 Drops executables to the windows directory (C:\Windows) and starts them 20->89 91 Uses ping.exe to check the status of other devices and networks 20->91 30 easinvoker.exe 20->30         started        32 PING.EXE 1 20->32         started        35 xcopy.exe 2 20->35         started        38 8 other processes 20->38 77 terminal7.veeblehosting.com 185.56.136.50, 49734, 49741, 49745 SECUREDSERVERS-EU Malta 23->77 93 Detected unpacking (changes PE section rights) 23->93 95 Detected unpacking (overwrites its own PE header) 23->95 97 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->97 99 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->99 101 Tries to steal Mail credentials (via file / registry access) 28->101 103 Tries to harvest and steal browser information (history, passwords, etc) 28->103 signatures9 process10 dnsIp11 40 cmd.exe 1 30->40         started        43 SIHClient.exe 30->43         started        69 127.0.0.1 unknown unknown 32->69 45 conhost.exe 32->45         started        57 C:\Windows \System32\easinvoker.exe, PE32+ 35->57 dropped 59 C:\Windows \System32\netutils.dll, PE32+ 38->59 dropped file12 process13 signatures14 107 Adds a directory exclusion to Windows Defender 40->107 47 cmd.exe 1 40->47         started        50 conhost.exe 40->50         started        process15 signatures16 117 Adds a directory exclusion to Windows Defender 47->117 52 powershell.exe 27 47->52         started        process17 signatures18 105 DLL side loading technique detected 52->105 55 conhost.exe 52->55         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-11-07 07:29:11 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hy3zr6kpyuh5zk2qilfkw5lewpxepkvavfdsunfzwcucdc6rwryq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
015272bc0ca4397b7ff0abca5d9f34eef4714336b4e66da3ca86a3be0d95b7e5
DBatLoader
22e384543598c8f6d4b45b6d19c09f23e08429a89bb3fe580b368c8aecb9663b
DBatLoader
452fa0451a2bb4c555368aec8f070a3db895414d43e089af54431ebf89d50841
DBatLoader
7e0c562b58d5c2183c98af42b5ff6b6cee6d7d82ad89e773bf0ba9c7f67c04b4
DBatLoader
96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc
DBatLoader
96df4af7b51b4a03a7014169c0862ed5820d4326d217f5ef4e099c1667a8045d
DBatLoader
c2f8b88850fcbc4df88e6708b12a265ed133ba04702f89ae9cf1da504c11bc6e
DBatLoader
f31a84611b66b26ffdf47df73fe98846b13bb7ffbabdce83bf1f7986edd561dd
DBatLoader
f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff
DBatLoader
+ 19 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:modiloader family:zgrat keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231107-xhgewsde3v/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
AgentTesla
Detect ZGRat V1
ModiLoader, DBatLoader
ZGRat
Unpacked files
SH256 hash:
c24b8eda08edcb48fc7992434b17e4c9855f066c60ce71fef7f6d8d237be2278
MD5 hash:
51b9af101b574bc7d5f7719f45eea25a
SHA1 hash:
8ce61763bf28af3eedabaeb7a89c8ec5861b7df7
Link:
https://www.unpac.me/results/6e7b3f8e-8a46-4c14-b449-4185d793872a/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/6e7b3f8e-8a46-4c14-b449-4185d793872a/
SH256 hash:
150de73f8455e11abf5c2c2b776560d9da43324a7cc7abd84b1eaf113d98a0af
MD5 hash:
e34cd1c5a96898acdfcec72c613df292
SHA1 hash:
1e89b97f1325565403045fb67f5796573dfc8807
Link:
https://www.unpac.me/results/6e7b3f8e-8a46-4c14-b449-4185d793872a/
SH256 hash:
3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471
MD5 hash:
12f4eb81b904b739d781f739b69ca683
SHA1 hash:
5cbe4fe011d4c35f342199e70a9e0e5c6a56e4ae
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/6e7b3f8e-8a46-4c14-b449-4185d793872a/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e3798f94fc5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 3e3798f94fc50fdcab5042caab7564b3ee47aaa0a9472a34b9b0a8218bd1b471

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments