MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ed19034ed769a77a1a0904051bd1132519bb48e3d94b3b2abedcc32a059a4dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	5ed19034ed769a77a1a0904051bd1132519bb48e3d94b3b2abedcc32a059a4dd
SHA3-384 hash:	296cd3a88a3683955ae03221bacd5b064040190dd4ee9c5bd3c6e4f5d05e7b3d97288915d5e7df2d285b33d99ac80f12
SHA1 hash:	052711710ccdb8f6c621efd462e275f2b7c651ab
MD5 hash:	bb71974ceaeefe96d77e17f6d47fd54f
humanhash:	high-california-hamper-east
File name:	vbc.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'060'864 bytes
First seen:	2022-07-06 13:23:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	753b0825549cc3d59d781f8089e09085 (4 x RemcosRAT, 4 x DBatLoader, 3 x Formbook)
ssdeep	12288:oQI+94AoSlZkkFuxYOO7EhGaLGPd25ivk4X6H8aiqWvxIgfFAnQnC3cSwus:lD6gSSCY+hGaLGQEvkXcvpFsQCsy
TLSH	T1AC359F63B2814533D1DB55756CCB53AA6E2B7E001E38A4866BF43D8C3F35E413AAD293
TrID	22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4) 20.6% (.SCR) Windows screen saver (13101/52/3) 16.5% (.EXE) Win64 Executable (generic) (10523/12/4) 15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	33f098d2d6d8f033 (12 x RemcosRAT, 7 x DBatLoader, 6 x Formbook)
Reporter	James_inthe_box
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/285152/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Remcos.mc.29806.13384.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/62c58cf511764e36f81add26/reports/70d617c5-e1ad-4ba4-8d39-e21f4f3e4c92/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AVE_MARIA

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0daad516-5944-4403-bf5e-75c6092dac1b

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1025614

Signature

Multi AV Scanner detection for domain / URL

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ed19034ed769a77a1a0904051bd1132519bb48e3d94b3b2abedcc32a059a4dd/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-07-06 13:21:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l3izanhno2nhpinasbafdpirgjizxneohwklhmvl5xgdficzutoq._file

Verdict:

malicious

Label(s):

avemaria

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:modiloader family:warzonerat infostealer persistence rat trojan

Link:

https://tria.ge/reports/220706-qncwbsdbfn/

Behaviour

Modifies system certificate store

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

Uses the VBS compiler for execution

ModiLoader Second Stage

Warzone RAT Payload

ModiLoader, DBatLoader

WarzoneRat, AveMaria

Unpacked files

SH256 hash:

4a62c775683d3ceb5c995ebb93ad5283dfc969fde41f455efdea66c4740133d8

MD5 hash:

200c9630e3efa803e13473f0ed37d90e

SHA1 hash:

e32465fbd603df4f2f769da434b244162f8ecb87

Link:

https://www.unpac.me/results/3cdf1062-7269-435b-b08e-9a7b63325e99/

SH256 hash:

0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6

MD5 hash:

d6e8fb9c9383709a7475144fbc74cb44

SHA1 hash:

3dc32f98eb13d725511b64924730132883ad3591

Link:

https://www.unpac.me/results/3cdf1062-7269-435b-b08e-9a7b63325e99/

SH256 hash:

5ed19034ed769a77a1a0904051bd1132519bb48e3d94b3b2abedcc32a059a4dd

MD5 hash:

bb71974ceaeefe96d77e17f6d47fd54f

SHA1 hash:

052711710ccdb8f6c621efd462e275f2b7c651ab

Link:

https://www.unpac.me/results/3cdf1062-7269-435b-b08e-9a7b63325e99/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ed19034ed769a77a1a0904051bd1132519bb48e3d94b3b2abedcc32a059a4dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/285152/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample