MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e
SHA3-384 hash: 641c6a80dd661162415c2c4cedc3ee5a0dd4d1e39578423f0dd0019d11e0ff0941e1bc183aa10b1a7ee2d367637f1852
SHA1 hash: 8646c18fc74edca6341e915dd06997149e5d019b
MD5 hash: 6aca6c9fdf82b87557148999d0b08296
humanhash: twenty-bacon-oklahoma-tennis
File name:SWIFT_COPY20240604.cmd
Download: download sample
Signature DBatLoader
Create hunting rule
File size:3'714'343 bytes
First seen:2024-06-19 06:57:24 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/x-msdos-batch
ssdeep 49152:GA6PFw42qcCUt5GKGhqK6GgCYUMCJwUzun2vHMA:i
Threatray 9 similar samples on MalwareBazaar
TLSH T182061DB729AD1E4E9309E75BF64BF9B4061EC8305A825E88C0C6CF88453E6DF2D50D6D
Reporter Racco42
Tags:cmd DBatLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6672c44b89a0563951ff2443win7simulatehigh_evasion
Tags:
Encryption Execution Network
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
extrac32 lolbin masquerade
Link:
https://www.filescan.io/uploads/6672817b6be3b3c7c2341d57/reports/f6c7c1d2-da9e-463d-8782-ffe4911bea75/overview
Verdict:
Malicious
Labled as:
BAT/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e
Result
Verdict:
MALICIOUS
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1459481
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1459481 Sample: SWIFT_COPY20240604.cmd Startdate: 19/06/2024 Architecture: WINDOWS Score: 100 37 imz.hongsbelt.co 2->37 39 youtube-ui.l.google.com 2->39 41 www.youtube.com 2->41 47 Found malware configuration 2->47 49 Yara detected DBatLoader 2->49 51 C2 URLs / IPs found in malware configuration 2->51 53 4 other signatures 2->53 8 cmd.exe 1 2->8         started        signatures3 process4 process5 10 Audio.pif 8->10         started        14 extrac32.exe 1 8->14         started        17 alpha.exe 1 8->17         started        19 5 other processes 8->19 dnsIp6 43 imz.hongsbelt.co 94.156.66.208, 49731, 49732, 80 TERASYST-ASBG Bulgaria 10->43 45 youtube-ui.l.google.com 142.250.185.238, 443, 49733 GOOGLEUS United States 10->45 59 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->59 61 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->61 63 Contains functionality to detect sleep reduction / modifications 10->63 21 WerFault.exe 2 16 10->21         started        35 C:\Users\Public\alpha.exe, PE32+ 14->35 dropped 65 Drops PE files to the user root directory 14->65 67 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 14->67 69 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 14->69 23 kn.exe 3 2 17->23         started        26 kn.exe 2 19->26         started        29 extrac32.exe 1 19->29         started        file7 signatures8 process9 file10 55 Registers a new ROOT certificate 23->55 57 Drops PE files with a suspicious file extension 23->57 31 C:\Users\Public\Libraries\Audio.pif, PE32 26->31 dropped 33 C:\Users\Public\kn.exe, PE32+ 29->33 dropped signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-06-19 03:32:21 UTC
File Type:
Text
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lkxrxllgyexct7lmbfxyfb3nr4j7lbplrtoryzth7gpkyyyoampa._file
Verdict:
malicious
Similar samples:
119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664
DBatLoader
49116eb9df67b39271c13a80c5044023c55044c2cb4c6303f2b8c2a936524cee
DBatLoader
93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c
DBatLoader
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
DBatLoader
e8414dd64dbd95608d21a7b6171b875454f19a7f317f9cf6690448628fdfcf24
DBatLoader
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240619-npep7stgkq/
Behaviour
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Program crash
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

cmd cmd 5aaf1bad66c12e29fd6c096f82876d8f13f585eb8cdd1c6667f99eac630e031e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments