MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
SHA3-384 hash: 4c5e0aca8691684ffdd4ec1f58eeb3525782a61f289cb2768f402aa7e52026e0e5856588eeedb0e2db888fc4137b7833
SHA1 hash: cdb66169976b4f8c6d9abb3b0592f61130fdca0f
MD5 hash: 428dc8652adc6fbd39a5b8a9193fe166
humanhash: oranges-butter-happy-magazine
File name:Re Re Order confirmation No. 2005739 PO SSEPLSBI00717-22.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:943'616 bytes
First seen:2022-08-25 08:35:34 UTC
Last seen:2022-08-25 12:48:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f81b5c9269910375af465608d2f2ff2 (3 x RemcosRAT, 3 x Formbook, 2 x DBatLoader)
ssdeep 12288:AJUHQf66vLY0QWoYa5RsDDVQdDPf+rKU5IT7greRccA/s/rsGvRcZoYto:AsoUQin8uerHqRcv/sHsoIo
TLSH T11E159F16B362C83FD57716788C17DA6C5C697F142A28A44B36D11E087B363B22A1F7CB
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter 0xToxin
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Re Re Order confirmation No. 2005739 PO SSEPLSBI00717-22.exe
Verdict:
Malicious activity
Analysis date:
2022-08-25 08:38:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4388ecb5-b6c5-43f7-848a-7f80fb89e5ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301074/
Detection(s):
SecuriteInfo.com.Variant.Zusy.436143.17787.27254.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30036/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit keylogger shell32.dll zusy
Link:
https://www.filescan.io/uploads/630734f1393b1c8c471086e0/reports/79015e1e-984c-4339-8675-6f6c6f5220e8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/af9f3961-6d85-4384-8830-8afe2bbc9296
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1057549
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4/
Threat name:
Win32.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2022-08-25 03:01:36 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfup2wiiyohhnwhvp676a274q6kw2fnxpdvkmn4bnyldb6z6w7ca._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220825-khk2vsbbh7/
Unpacked files
SH256 hash:
53619866fb7adb9f5dcbed0dce75932a74830dc02351a6b6c819e9701a13ada1
MD5 hash:
38a86eff48873c72ca4d72f191a56f63
SHA1 hash:
25e96f601aa827d3b1ab70b0fdc67d0c15023b73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/fe0adad8-37cc-47de-b509-8cf5b8fa333d/
Parent samples :
e9f4a7f5f39ac0ea1fc287c5d9521667d3eca8344b2e60fe26f9f795d7f53a8d
2e86f98ee2dc99164970b21058123fda31af9feb290e14646c3a6f49525f2fcc
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
b725d730c210274c7cc33fa90c06467cf9e3416a9d214e060e14f323d31aa3c7
6620f97090422729f9d69268a68b76cc854f81cd97c25f3463315344ba3d639e
eae13c9aa0b286157c56819381b92a4a6d8e2607f553e7b71539b1959f2cd7a2
efa8f5c281c591960f2a8f508f278b1541de0c308f4039432307de4e0f25627c
aa4a3cf409c65c84e33841c92533d1781a01cd5b1b5ba372e0b3d4c333a8f5fe
d9d5ed4a3733ad8d8edcdd4a4e36f965f3ad5b0b0bb38b54acd9091ee99ff7cf
9e6da348b123ec110ed3d923198f378f6398a6e1f87d3a440340c5ab479e6912
ad2c3ee8225bffd3052bb7d77be8e73b14731a65d420a08bac8cd72f979300b9
22c7ed8874209dd96c59fbc16dd829802729f9fa34c09cce41f6f64704af7578
SH256 hash:
5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4
MD5 hash:
428dc8652adc6fbd39a5b8a9193fe166
SHA1 hash:
cdb66169976b4f8c6d9abb3b0592f61130fdca0f
Link:
https://www.unpac.me/results/fe0adad8-37cc-47de-b509-8cf5b8fa333d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 5968fd5908c38e76d8f57fbfe06bfc87956d15b778eaa637816e1630fb3eb7c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/301074/

Comments