MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59d26fa675cac7fdf3c0fa7f5869ecc1691eb132faf4dfab5ecd1c01f47cfade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59d26fa675cac7fdf3c0fa7f5869ecc1691eb132faf4dfab5ecd1c01f47cfade
SHA3-384 hash: 42dab076636553351f71cc8ede0b49ec274608e2056b00ba88339b9cc4d26de3944acd5f33e912d479a7e0d5d5b9b7c6
SHA1 hash: ef36ae11c9c479335f34f64097bd40df18c081bc
MD5 hash: c431f315c058c659ac16e24eef71b7f0
humanhash: sink-oxygen-missouri-carpet
File name:ScanDocIMGDOC03027329314B76848A444B498C03EEC7E6FB8PDF.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:945'664 bytes
First seen:2022-08-24 14:27:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2cf6967194f6d1304e0f1c36c461b666 (4 x RemcosRAT, 2 x DBatLoader, 1 x Formbook)
ssdeep 12288:yGfp37BLoRAHgBx8vzFpzU14p+R15BT7gr8dcnJDnsaXaXmYPuqZ6ZoYta:y8t4AHgBx8LzRpoWYdcnJDuPRZeoIa
TLSH T18A158E22A352CC3BE5325638CD07DA6D5C1D7E106E38645B2AD51D0C7B7A3B22A1F6CB
TrID 61.1% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
24.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
10.7% (.OCX) Windows ActiveX control (116521/4/18)
1.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.2% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon ecdce4c48c9ce4c4 (14 x RemcosRAT, 9 x DBatLoader, 5 x Formbook)
Reporter 0xToxin
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
ScanDocIMGDOC03027329314B76848A444B498C03EEC7E6FB8PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-08-24 14:29:11 UTC
Tags:
keylogger remcos
Link:
https://app.any.run/tasks/0ea6cca3-b464-49b8-82d5-6061a51a51f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300871/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.3928.14227.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29935/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint keylogger shell32.dll
Link:
https://www.filescan.io/uploads/63063573f205e2ee76741815/reports/dcc20040-5ed9-46b7-ac9a-06dfdcc7b58d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02b9a13b-8610-4e08-a88f-a76e56b6234a
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1057046
Signature
Adds a directory exclusion to Windows Defender
Creates a thread in another existing process (thread injection)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 689563 Sample: ScanDocIMGDOC03027329314B76... Startdate: 24/08/2022 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for domain / URL 2->60 62 Yara detected UAC Bypass using ComputerDefaults 2->62 64 Yara detected DBatLoader 2->64 10 ScanDocIMGDOC03027329314B76848A444B498C03EEC7E6FB8PDF.exe 1 22 2->10         started        15 Ivvoxrbdc.exe 13 2->15         started        17 Ivvoxrbdc.exe 2->17         started        process3 dnsIp4 54 vervain.co.in 199.79.62.221, 443, 49709, 49710 PUBLIC-DOMAIN-REGISTRYUS United States 10->54 44 C:\Users\Public\Libraries\Ivvoxrbdc.exe, PE32 10->44 dropped 46 C:\Users\Public\Libraries\netutils.dll, PE32+ 10->46 dropped 48 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 10->48 dropped 80 Writes to foreign memory regions 10->80 82 Creates a thread in another existing process (thread injection) 10->82 84 Injects a PE file into a foreign processes 10->84 19 cmd.exe 3 10->19         started        22 cleanmgr.exe 10->22         started        file5 signatures6 process7 signatures8 70 Uses ping.exe to sleep 19->70 72 Drops executables to the windows directory (C:\Windows) and starts them 19->72 74 Uses ping.exe to check the status of other devices and networks 19->74 24 easinvoker.exe 19->24         started        26 PING.EXE 1 19->26         started        29 xcopy.exe 2 19->29         started        32 6 other processes 19->32 76 DLL side loading technique detected 22->76 process9 dnsIp10 34 cmd.exe 1 24->34         started        56 127.0.0.1 unknown unknown 26->56 58 192.168.2.1 unknown unknown 26->58 50 C:\Windows \System32\easinvoker.exe, PE32+ 29->50 dropped 52 C:\Windows \System32\netutils.dll, PE32+ 32->52 dropped file11 process12 signatures13 66 Suspicious powershell command line found 34->66 68 Adds a directory exclusion to Windows Defender 34->68 37 powershell.exe 27 34->37         started        40 conhost.exe 34->40         started        process14 signatures15 78 DLL side loading technique detected 37->78 42 conhost.exe 37->42         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59d26fa675cac7fdf3c0fa7f5869ecc1691eb132faf4dfab5ecd1c01f47cfade/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2022-08-24 13:55:23 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhjg7jtvzld7346a7j7vq2pmyfur5mjs7l2n7k26zuoad5d47lpa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:arkern-tr-file persistence rat trojan
Link:
https://tria.ge/reports/220824-rszrbsffe3/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
www.arkern-tr.com:2404
bushnew.duckdns.org:2404
Unpacked files
SH256 hash:
e12966b31b8967e1ef25d8b2864025b106eb0a9b08dfaeada072e28900f7d566
MD5 hash:
7406ae53a6b6a3349e308c1bb34e6077
SHA1 hash:
f7ac5b5914d230c61972da8557a14dedb51555e8
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/f885c707-badd-46a1-9e1c-9c74e3f25837/
Parent samples :
59d26fa675cac7fdf3c0fa7f5869ecc1691eb132faf4dfab5ecd1c01f47cfade
1a9449eb429ea1c829080ee13d587a0c799f8ee4f4dca0182f446ce3baa92514
4d23a0991f3eac889b28f3fe041610a2f68697f41ec80b9f3c10bd01716d9862
13953945568abd68de0b2f8f04dfe03bcbecece905968dee4c0c1d4140ad09a7
2a68d228070ae7e99c1ed57e5744d8f299f962e322239493b5fed464ed9b5815
a81cfd3fa62e47eb4a12fdb5be1aff2bbd0a14d2ec41afa136c711ba3bfca4f2
8bc1e0fe003422b0c648ad868651cfc32f7bfb27cabe1aea2c3d55ad76ac0b7b
SH256 hash:
59d26fa675cac7fdf3c0fa7f5869ecc1691eb132faf4dfab5ecd1c01f47cfade
MD5 hash:
c431f315c058c659ac16e24eef71b7f0
SHA1 hash:
ef36ae11c9c479335f34f64097bd40df18c081bc
Link:
https://www.unpac.me/results/f885c707-badd-46a1-9e1c-9c74e3f25837/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59d26fa675cac7fdf3c0fa7f5869ecc1691eb132faf4dfab5ecd1c01f47cfade

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 59d26fa675cac7fdf3c0fa7f5869ecc1691eb132faf4dfab5ecd1c01f47cfade

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/300871/

Comments