MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c
SHA3-384 hash: 6e59e9bccbfbf93775ac1677c4e6033fc1a3bab585bddf873bdab01efff29629764d2484ed9c259506343378854bcec9
SHA1 hash: 6fcbec4c79af4f747a98242ec75416035f90d4fc
MD5 hash: 0f2ba99c95bbc455cb9bc42e466c34e4
humanhash: undress-fish-grey-ten
File name:SecuriteInfo.com.Scr.MalPbsgen1.51.18543
Download: download sample
Signature DBatLoader
Create hunting rule
File size:866'816 bytes
First seen:2022-04-18 06:42:28 UTC
Last seen:2022-04-19 08:15:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f3bc926a129afe92595bdb42efcb0e2 (2 x DBatLoader)
ssdeep 12288:+2mVRzH7gOlJs0Ovn4IDxsh0ICELlPIm7o1KtYBF8Lf1iBcCNsFKzaRHr:+9bvgaJs0QnlOh0IJ5A+9Lf14Fxz
Threatray 15'205 similar samples on MalwareBazaar
TLSH T1E3058E22F3914476D4635E745C179398BD26BE102E28980EEBB4EE8C9F373D1B5281B7
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 30808a8c8c8a8010 (4 x RemcosRAT, 4 x Formbook, 4 x DBatLoader)
Reporter SecuriteInfoCom
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264286/
Detection(s):
SecuriteInfo.com.Scr.MalPbsgen1.51.18543.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware keylogger replace.exe
Link:
https://www.filescan.io/uploads/625d08b4ffe27d5119fc2398/reports/c6e9cba4-9bd2-42ec-aa19-33d46ca769a5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60338123-2554-4367-9ac6-e653b6036636
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978093
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 610577 Sample: SecuriteInfo.com.Scr.MalPbs... Startdate: 18/04/2022 Architecture: WINDOWS Score: 100 45 www.valenciamobilenotary.com 2->45 47 www.puerteria.com 2->47 49 puerteria.com 2->49 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 6 other signatures 2->85 11 SecuriteInfo.com.Scr.MalPbsgen1.51.exe 1 17 2->11         started        signatures3 process4 dnsIp5 61 expertppl.org 45.118.132.159, 49717, 49718, 49723 LINODE-APLinodeLLCUS Japan 11->61 41 C:\Users\Public\Libraries\Pzeqdkz.exe, PE32 11->41 dropped 43 C:\Users\...\Pzeqdkz.exe:Zone.Identifier, ASCII 11->43 dropped 107 Writes to foreign memory regions 11->107 109 Creates a thread in another existing process (thread injection) 11->109 111 Injects a PE file into a foreign processes 11->111 16 logagent.exe 11->16         started        file6 signatures7 process8 signatures9 63 Modifies the context of a thread in another process (thread injection) 16->63 65 Maps a DLL or memory area into another process 16->65 67 Sample uses process hollowing technique 16->67 69 2 other signatures 16->69 19 explorer.exe 4 4 16->19 injected process10 dnsIp11 51 td-ccm-168-233.wixdns.net 34.117.168.233, 49801, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->51 53 www.sdgaihao.com 45.207.77.153, 49824, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->53 55 5 other IPs or domains 19->55 87 System process connects to network (likely due to code injection or exploit) 19->87 23 Pzeqdkz.exe 13 19->23         started        27 Pzeqdkz.exe 14 19->27         started        29 cscript.exe 19->29         started        31 msiexec.exe 19->31         started        signatures12 process13 dnsIp14 57 expertppl.org 23->57 91 Multi AV Scanner detection for dropped file 23->91 93 Writes to foreign memory regions 23->93 95 Allocates memory in foreign processes 23->95 33 DpiScaling.exe 23->33         started        59 expertppl.org 27->59 97 Creates a thread in another existing process (thread injection) 27->97 99 Injects a PE file into a foreign processes 27->99 36 DpiScaling.exe 27->36         started        101 Modifies the context of a thread in another process (thread injection) 29->101 103 Maps a DLL or memory area into another process 29->103 105 Tries to detect virtualization through RDTSC time measurements 29->105 signatures15 process16 signatures17 71 Tries to detect virtualization through RDTSC time measurements 33->71 73 Modifies the context of a thread in another process (thread injection) 36->73 75 Maps a DLL or memory area into another process 36->75 77 Sample uses process hollowing technique 36->77 38 mstsc.exe 36->38         started        process18 signatures19 89 Tries to detect virtualization through RDTSC time measurements 38->89
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-04-18 03:50:53 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltjq4x2fa2t5ytzmzdqmttrkebq3zm62gck4bbq5rcxqps67p6ga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
239419437726bda1c5401f36629aa95050346433232192947ca54890ebb8a39f
DBatLoader
3987ea55911d57e4f6e97332a95794f8d38465b521f5b27e0372a4598ed702b6
DBatLoader
4083d4907b0926bbea1b80c0dd047d1e6c835dc259f9e698c4cfb7f2218b77d3
DBatLoader
81f4e3b64cd382fe241f3ce5f0f31eafca0fc82c77c91b751d03f8eb41511b3e
DBatLoader
99bb3d1c9a2a4dad6465a81df1008b91f5836e51ce0463da76b31f9758dd9b62
DBatLoader
b7a756c577e078ad9d76c1e7aadb4d0370b1b5ee868f07fad21f33194febe1ec
DBatLoader
bae9500c6eecd23164e1eba0e489d68938bfff866d47fb9e6c8320b3b8500720
DBatLoader
e07c12a4c17554763b40b0ca410493875bbdd907bc8ba261a732d935e015f852
DBatLoader
+ 15'195 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:xtef loader persistence rat suricata trojan
Link:
https://tria.ge/reports/220418-hgxm6acggq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
ModiLoader Second Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c15cc72bba4eb7def1e1f7f3cd827bb64fe178642b98603731c2dc4cce1e9103
MD5 hash:
b39856eb54a849251edc8231cbe41510
SHA1 hash:
2d463e795dff6d1d8513c62b13b54fa41eb3d0ad
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/62d1d120-16c0-4621-834c-f447006b915f/
Parent samples :
5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c
7819c052ad3f9625bc7b6eca291433efed6f782447a0dee078f077605b3a289b
SH256 hash:
5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c
MD5 hash:
0f2ba99c95bbc455cb9bc42e466c34e4
SHA1 hash:
6fcbec4c79af4f747a98242ec75416035f90d4fc
Link:
https://www.unpac.me/results/62d1d120-16c0-4621-834c-f447006b915f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/5cd30e5f4506a7dc4f2cc8e0c9ce2a2061bcb3da3095c0861d88af07cbdf7f8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264286/

Comments