MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc
SHA3-384 hash: 864ccb2ef57011a38e6bd7ba99f43912c6fcca4202574c157c98ff25e80d7e41a4834615749555bd2557867b19036d6b
SHA1 hash: d1f499691a8c716a16974f2b19737913262fae27
MD5 hash: e97214b154e79603b372124193f96ea1
humanhash: lactose-robert-vegan-cat
File name:test.dll
Download: download sample
Signature DBatLoader
Create hunting rule
File size:3'584 bytes
First seen:2022-08-01 08:46:08 UTC
Last seen:2022-08-01 09:44:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e86a593cee4e793aa264b0eee8dd9eb (1 x DBatLoader)
ssdeep 48:Vt0KXJnuPq0cFl3pbqflhS4NGSwGzSDBAFqoBLz9:r04JnuPq0cPhtXGzuxoZ9
Threatray 2'483 similar samples on MalwareBazaar
TLSH T1237186A267E0C5B4E899547192E14307F43EF3785FE6E2212710F8695CBB394163C680
TrID 47.1% (.EXE) Win32 Executable (generic) (4505/5/1)
20.9% (.EXE) Generic Win/DOS Executable (2002/3)
20.9% (.EXE) DOS Executable Generic (2000/1)
10.5% (.SCORE) Music Craft Score (1007/6)
0.3% (.VXD) VXD Driver (29/21)
Reporter JAMESWT_WT
Tags:DBatLoader dll exe follina

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295524/
Detection(s):
SecuriteInfo.com.Variant.Graftor.963728.27341.32679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
graftor remcos wacatac
Link:
https://www.filescan.io/uploads/62e793449ca9b9bfcbe28102/reports/573e3981-5772-42ab-a0be-ae14eac8df79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9dba3dd9-10f0-426a-9816-eb9ac052082b
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044063
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676558 Sample: test.dll Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 5 other signatures 2->79 10 loaddll32.exe 1 2->10         started        12 Cotwth.exe 2->12         started        process3 dnsIp4 16 cmd.exe 1 10->16         started        18 rundll32.exe 10->18         started        22 rundll32.exe 1 10->22         started        69 polpharmar.com 12->69 89 Multi AV Scanner detection for dropped file 12->89 25 cmd.exe 12->25         started        signatures5 process6 dnsIp7 27 rundll32.exe 16->27         started        81 System process connects to network (likely due to code injection or exploit) 18->81 30 POtest.exe 16 18->30         started        59 polpharmar.com 91.235.116.180, 49733, 49735, 49743 THCPROJECTSRO Romania 22->59 55 C:\Users\user\AppData\Roaming\POtest.exe, PE32 22->55 dropped 33 POtest.exe 22->33         started        35 conhost.exe 25->35         started        file8 signatures9 process10 dnsIp11 65 polpharmar.com 27->65 37 POtest.exe 1 17 27->37         started        67 polpharmar.com 30->67 91 Writes to foreign memory regions 30->91 93 Creates a thread in another existing process (thread injection) 30->93 42 cmd.exe 1 30->42         started        95 Multi AV Scanner detection for dropped file 33->95 44 WerFault.exe 23 9 33->44         started        signatures12 process13 dnsIp14 61 polpharmar.com 37->61 63 192.168.2.1 unknown unknown 37->63 57 C:\Users\Public\Libraries\Cotwth.exe, PE32 37->57 dropped 83 Writes to foreign memory regions 37->83 85 Creates a thread in another existing process (thread injection) 37->85 87 Injects a PE file into a foreign processes 37->87 46 cmd.exe 2 3 37->46         started        49 conhost.exe 42->49         started        file15 signatures16 process17 dnsIp18 71 www.varshtrade.com 91.192.100.12, 2404, 49765, 49766 AS-SOFTPLUSCH Switzerland 46->71 51 conhost.exe 46->51         started        53 WerFault.exe 46->53         started        process19
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 05:20:25 UTC
File Type:
PE (Dll)
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=in7eit67if72gu4q53cyty4axdk4oc2udcsfktxbts3qmrykp3oa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
DBatLoader
41dbd50dec8697c71e8feea9912873500ae7061955e1331ac9e657041b7b57f8
DBatLoader
7c46360bc0f882b7d7a6603ce5f141914e645b4afb7f4951cc3e29d76908c518
DBatLoader
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
DBatLoader
b8df890fac057175f86dc5f301f1e1f6d45b2a1b36598934c3fc0144cf433137
DBatLoader
cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69
DBatLoader
d4729baa39aa4e1052e0999c90450a4cdcd4c4e3831c9a791fb99b94036103b4
DBatLoader
fd4e5f6c6b0e764dd7c0bb64e65985a4304d0a8f3103ea22656549f0b00508d5
DBatLoader
+ 2'473 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/220801-kpvvmsefc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc
MD5 hash:
e97214b154e79603b372124193f96ea1
SHA1 hash:
d1f499691a8c716a16974f2b19737913262fae27
Link:
https://www.unpac.me/results/1c5dd9fd-8dc5-4bfc-a291-e5c0f5433174/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/437e444fdf41/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/StopMalvertisin/status/1553970459712319488?s=20&t=NUr2d5u8u1bLNhawYnZycQ
Cape
Cape
https://www.capesandbox.com/analysis/295524/

Comments