MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45c2a90fff377e89af12d170f42c055f26b3165f17bca422ef34edc479debcee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45c2a90fff377e89af12d170f42c055f26b3165f17bca422ef34edc479debcee
SHA3-384 hash: 95e91a323c07fe977764d5d144d87a360f09e90b960aa73f13d72851baa785f8ce838241499fb3851a635ac62cdfe729
SHA1 hash: 985f565984844b94769d933ebcb8c4fa769ac18a
MD5 hash: 90dee1f7dab1c753a82b7846647700ec
humanhash: california-north-washington-april
File name:Delivery.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:935'936 bytes
First seen:2022-07-31 11:09:01 UTC
Last seen:2022-07-31 11:59:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d6b755142a9bedd67381675d646ee46f (2 x DBatLoader, 1 x ModiLoader)
ssdeep 24576:MryWRujk9kBBuNpHb9t0GrvBPUaxXd52Ep8r:Mr9fkByDor
Threatray 2'548 similar samples on MalwareBazaar
TLSH T10D15AF67B2A0D437D0A31D785C4B93F49929BD152D28688A6BF43E4C6F35B603E252F3
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 509dca9acccc4b90 (5 x DBatLoader, 2 x AveMariaRAT, 1 x Formbook)
Reporter 0xToxin
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295336/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Leonem.2108.23602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27888/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62e662cfa405183f8ea2a5be/reports/f64d8626-e98b-4f5e-ae68-4ebb34c9ff46/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e20d590-3c5c-4c9c-9c85-ae92c2fa47c7
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043743
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676237 Sample: Delivery.exe Startdate: 31/07/2022 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for domain / URL 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 6 other signatures 2->77 8 Delivery.exe 1 22 2->8         started        13 Rskljp.exe 16 2->13         started        15 Rskljp.exe 16 2->15         started        process3 dnsIp4 43 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49730, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->43 45 vyqnta.db.files.1drv.com 8->45 51 2 other IPs or domains 8->51 39 C:\Users\Public\Libraries\Rskljp.exe, PE32 8->39 dropped 41 C:\Users\Public\Libraries\RskljpO.bat, ASCII 8->41 dropped 79 Writes to foreign memory regions 8->79 81 Allocates memory in foreign processes 8->81 83 Creates a thread in another existing process (thread injection) 8->83 85 Injects a PE file into a foreign processes 8->85 17 cmd.exe 1 8->17         started        20 cmd.exe 1 8->20         started        47 vyqnta.db.files.1drv.com 13->47 53 2 other IPs or domains 13->53 87 Multi AV Scanner detection for dropped file 13->87 22 cmd.exe 1 13->22         started        49 vyqnta.db.files.1drv.com 15->49 55 2 other IPs or domains 15->55 24 cmd.exe 1 15->24         started        file5 signatures6 process7 signatures8 63 Contains functionality to steal Chrome passwords or cookies 17->63 65 Contains functionality to inject code into remote processes 17->65 67 Contains functionality to steal Firefox passwords or cookies 17->67 69 Delayed program exit found 17->69 26 cmd.exe 2 3 17->26         started        29 conhost.exe 17->29         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        process9 dnsIp10 57 harrywlike.ddns.net 38.242.134.118, 2404, 49745 NATIXISUS United States 26->57 59 hendersonk1.hopto.org 26->59 61 3 other IPs or domains 26->61 37 conhost.exe 26->37         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45c2a90fff377e89af12d170f42c055f26b3165f17bca422ef34edc479debcee/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-07-30 23:07:55 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixbksd77g57itlys2fypilafl4tlgfs7c66kiixpgtw4i6o6xtxa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
21bd242ed07a92a9faef420a0b8bf377e83aaa9413ba4725da7f5c318182f7ec
DBatLoader
3880fb052955a0a189467378cdfa76b830a23417a89265eb347918a99ca3ca65
DBatLoader
576f3d1efa9d9cc9d03d9bd4a57ac9f5fc009ae9c58ece73294dcdd188a0c5c5
DBatLoader
5846f8d9e5caeb811b302cf2742e0747b436d891d4803d8ea9f98e6e8125a94a
DBatLoader
6353828ddb8f70dd9a535d3314ac328b044539563334f093173b86fd96e24707
DBatLoader
7fcf6d3e41894c246a6753ee4b8664677965dab8c1098e6addc491101178b14e
DBatLoader
938520cce11835b7bd6e0727bc6ae0a1e120ca0d6878308e3dd2b4daa9157145
DBatLoader
b8fc4052fc07da469c7f33028796dceb6fb8daf1fe95d3c3c655217a8ecfdd64
DBatLoader
fd4e5f6c6b0e764dd7c0bb64e65985a4304d0a8f3103ea22656549f0b00508d5
DBatLoader
+ 2'538 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/c17bd8d2-6680-4f21-8136-9a2ecbdb0ccf/
SH256 hash:
45c2a90fff377e89af12d170f42c055f26b3165f17bca422ef34edc479debcee
MD5 hash:
90dee1f7dab1c753a82b7846647700ec
SHA1 hash:
985f565984844b94769d933ebcb8c4fa769ac18a
Link:
https://www.unpac.me/results/c17bd8d2-6680-4f21-8136-9a2ecbdb0ccf/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45c2a90fff37/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45c2a90fff377e89af12d170f42c055f26b3165f17bca422ef34edc479debcee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 45c2a90fff377e89af12d170f42c055f26b3165f17bca422ef34edc479debcee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/295336/

Comments