MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4604f1760d854d4b495a888b37cbcc2e1d317a43eb28666b80f70dabfc6076dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4604f1760d854d4b495a888b37cbcc2e1d317a43eb28666b80f70dabfc6076dd
SHA3-384 hash: 0706de622c205aa0434cfe304641485c070aadcb4bdf854821dadbccbfafc54cb6c2cf368d7ecbe352b5a2615946ae03
SHA1 hash: fd875159a9ecf09fb1f744d0c94ee3bcedc86fd7
MD5 hash: 06fc299733b3a026d5a11b26800c6c95
humanhash: football-autumn-tennessee-undress
File name:06fc299733b3a026d5a11b26800c6c95
Download: download sample
Signature DBatLoader
Create hunting rule
File size:788'992 bytes
First seen:2022-07-05 13:41:43 UTC
Last seen:2022-07-15 04:11:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a73b34b2f22a3ef9f78bad49cc1507c7 (3 x DBatLoader)
ssdeep 12288:nRFfIeLjuVqwDAs53JjGkNvXXzv4e18t35noMezv390cSwu7:n/Ahsw8s53hG6jAeWXgjny
Threatray 2'554 similar samples on MalwareBazaar
TLSH T154F48E63A2804637C0F71A35BDDA5266CD677E801E3895426BE47C893F36D903AFE253
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33f098d2d6d8f033 (12 x RemcosRAT, 7 x DBatLoader, 6 x Formbook)
Reporter zbetcheckin
Tags:32 DBatLoader exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Artifacts-2022-07-05_10-58-43Z.zip
Verdict:
Malicious activity
Analysis date:
2022-07-05 10:59:15 UTC
Tags:
opendir exploit CVE-2017-11882 loader trojan remcos
Link:
https://app.any.run/tasks/646397f0-1ce4-4b64-81fb-4726ebffd0de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.3237.28251.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23896/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm fareit keylogger remcos wacatac
Link:
https://www.filescan.io/uploads/62c43fe911764e36f81703b7/reports/2522cd7a-3a39-4bd8-a2a4-0efe0dc80239/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3f0928a-ee82-4cd5-877f-93f3375fc814
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1024904
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4604f1760d854d4b495a888b37cbcc2e1d317a43eb28666b80f70dabfc6076dd/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 08:26:11 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iycpc5qnqvguwsk2rcftps6mfyotc6sd5mugm24a64g2x7dao3oq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
DBatLoader
7c46360bc0f882b7d7a6603ce5f141914e645b4afb7f4951cc3e29d76908c518
DBatLoader
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
DBatLoader
bec0e99c27a1be5e7f2ad71f8ebf6153a71ad0026c7a102db8228ad0638c37fe
DBatLoader
d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9
DBatLoader
db5081b362e1b639dadf98a1d8e7ff79f7a9dcaee67417795bec75b8897973a0
DBatLoader
+ 2'544 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:grace-logs persistence rat suricata trojan
Link:
https://tria.ge/reports/220705-qznf7shgbj/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
Malware Config
C2 Extraction:
karnnod.com:20901
Unpacked files
SH256 hash:
a1b53de4f22c0f433fac49ce40f70f1519aa6c16f962e5aa4477815f0427519d
MD5 hash:
0ce5bc56f3106395d0b5c47568ec1eda
SHA1 hash:
40d2463ec84a85b9678b803d0f1606eab67b542d
Link:
https://www.unpac.me/results/e6296a5a-18a5-4655-99a1-207903097148/
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/e6296a5a-18a5-4655-99a1-207903097148/
SH256 hash:
4604f1760d854d4b495a888b37cbcc2e1d317a43eb28666b80f70dabfc6076dd
MD5 hash:
06fc299733b3a026d5a11b26800c6c95
SHA1 hash:
fd875159a9ecf09fb1f744d0c94ee3bcedc86fd7
Link:
https://www.unpac.me/results/e6296a5a-18a5-4655-99a1-207903097148/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4604f1760d85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4604f1760d854d4b495a888b37cbcc2e1d317a43eb28666b80f70dabfc6076dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe 4604f1760d854d4b495a888b37cbcc2e1d317a43eb28666b80f70dabfc6076dd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2254156/

Comments


Avatar
zbet commented on 2022-07-05 13:41:51 UTC

url : hxxp://103.171.1.178/cloudX/vbc.exe