MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373
SHA3-384 hash: ad7b07f189b251d38d34051e861ef2b9d1b407203f6b4623ad952a6e257746f57e261e43eafc23a6da4f279b1b2d7c94
SHA1 hash: 8b8b646972dee949373a9edb264fe9585da1d5a8
MD5 hash: 7795710d00cb724d9fdf705a3ccb797e
humanhash: papa-april-lima-east
File name:TR0435435453.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:859'648 bytes
First seen:2022-04-19 12:53:49 UTC
Last seen:2022-04-20 11:06:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e0804e63f849253255cc5a90c0147c49 (6 x DBatLoader, 1 x Formbook, 1 x ModiLoader)
ssdeep 12288:bZ8wag4BvCXr8j4CoOjPDQdT4ragoUG15U87uxHkHijCNsFKzaRHr:b2FN2ojFoOjcdTaTGTR8HExz
Threatray 15'778 similar samples on MalwareBazaar
TLSH T125059F22B3908432D0731E785C5B93B85926BE202F2569477BF9ED1C6F3A5E1393D293
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon c8c982848998ac94 (10 x Formbook, 6 x DBatLoader, 4 x RemcosRAT)
Reporter GovCERT_CH
Tags:DBatLoader exe xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264623/
Detection(s):
SecuriteInfo.com.Scr.MalPbsgen1.14185.1356.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Searching for synchronization primitives
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger
Link:
https://www.filescan.io/uploads/625eb0ec482f2f41cad1f0f2/reports/ec27010b-9549-4a9f-94f4-f0e4991bccc9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9367dc23-424a-4d0d-8204-aa78b944d627
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978843
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 611330 Sample: TR0435435453.exe Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 46 www.pondokbali.store 2->46 48 www.akhostelbkk.com 2->48 50 shops.myshopify.com 2->50 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 7 other signatures 2->92 11 TR0435435453.exe 1 19 2->11         started        signatures3 process4 dnsIp5 66 i-ams03p-cor001.api.p001.1drv.com 20.135.25.0, 443, 49726, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->66 68 pxpmra.am.files.1drv.com 11->68 70 4 other IPs or domains 11->70 42 C:\Users\Public\Libraries\Mxpqpie.exe, PE32 11->42 dropped 44 C:\Users\...\Mxpqpie.exe:Zone.Identifier, ASCII 11->44 dropped 112 Writes to foreign memory regions 11->112 114 Creates a thread in another existing process (thread injection) 11->114 116 Injects a PE file into a foreign processes 11->116 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 72 Modifies the context of a thread in another process (thread injection) 16->72 74 Maps a DLL or memory area into another process 16->74 76 Sample uses process hollowing technique 16->76 78 2 other signatures 16->78 19 explorer.exe 4 2 16->19 injected process10 dnsIp11 52 www.woodencok.com 35.186.238.101, 49809, 80 GOOGLEUS United States 19->52 94 System process connects to network (likely due to code injection or exploit) 19->94 23 Mxpqpie.exe 16 19->23         started        27 Mxpqpie.exe 16 19->27         started        29 cmd.exe 19->29         started        31 control.exe 19->31         started        signatures12 process13 dnsIp14 54 i-am3p-cor003.api.p001.1drv.com 40.90.142.224, 443, 49756, 49758 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->54 56 pxpmra.am.files.1drv.com 23->56 62 4 other IPs or domains 23->62 96 Multi AV Scanner detection for dropped file 23->96 98 Writes to foreign memory regions 23->98 100 Allocates memory in foreign processes 23->100 33 DpiScaling.exe 23->33         started        58 i-am3p-cor007.api.p001.1drv.com 13.104.158.183, 443, 49761, 49763 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->58 60 pxpmra.am.files.1drv.com 27->60 64 4 other IPs or domains 27->64 102 Creates a thread in another existing process (thread injection) 27->102 104 Injects a PE file into a foreign processes 27->104 36 DpiScaling.exe 27->36         started        106 Modifies the context of a thread in another process (thread injection) 29->106 108 Maps a DLL or memory area into another process 29->108 110 Tries to detect virtualization through RDTSC time measurements 29->110 38 cmd.exe 1 29->38         started        signatures15 process16 signatures17 80 Modifies the context of a thread in another process (thread injection) 33->80 82 Maps a DLL or memory area into another process 33->82 84 Sample uses process hollowing technique 33->84 40 conhost.exe 38->40         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 07:39:45 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lr7hfkk37wqvlb22ylqlbjlfrc5v5qc4u4os5fgj6dgpxjjdynzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
239419437726bda1c5401f36629aa95050346433232192947ca54890ebb8a39f
DBatLoader
340ffaf73b1d7c0548cde151ec9acaa2afada53f3e8d6616e558d524c12b36c8
DBatLoader
3e25c1a249031c7ec06d4d6ad15a9dcd9f6cf0a72053663ebdd7a31eafb59c35
DBatLoader
3f402617d9bbe740d49a4c0e0b17e4c704a11f04ad5c708a08c5a6988e7c181f
DBatLoader
5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c
DBatLoader
687b7b359a5cac51eeb2d8bd04b147bdca3af96f148c2e560b3aff235d48e6b0
DBatLoader
81f4e3b64cd382fe241f3ce5f0f31eafca0fc82c77c91b751d03f8eb41511b3e
DBatLoader
bcd4ff2d437acfafe367d9192ea761aa86a93f212a3a86e422650ba5820108f2
DBatLoader
+ 15'768 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:uj3c loader persistence rat trojan
Link:
https://tria.ge/reports/220419-p47j7scfg8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
5c7abef80eec8823727033ff393ec0c554e024174078558c2816eac5aa5f05ba
MD5 hash:
75bb3ad3fd6a800d80f6d0df1eacc4cd
SHA1 hash:
97401d629c663e86c91d254047857d2d56245c69
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/102d7f6f-c78f-400e-8943-42f015f66fef/
Parent samples :
25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2
af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b
5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373
7834cc8a3f3b2dd0d3ed6a22c134b347054a477e116b4a46751f21a463aee356
SH256 hash:
5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373
MD5 hash:
7795710d00cb724d9fdf705a3ccb797e
SHA1 hash:
8b8b646972dee949373a9edb264fe9585da1d5a8
Link:
https://www.unpac.me/results/102d7f6f-c78f-400e-8943-42f015f66fef/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c7e72a95bfd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/264623/

Comments