MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Maldoc score: 4


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298
SHA3-384 hash: 40bc0e9b6c00d48f1ee01aa030c2ceb1f3a1753228250cd9e73bd87771a2c0c822c7ada0d3172bc193c62a5482c9dcfb
SHA1 hash: 068f53461793d7859d33818369f2b89177767c00
MD5 hash: 5a788468cddd802e6eea249755b4beaf
humanhash: black-crazy-wisconsin-black
File name:Payment Slip.xls
Download: download sample
Signature DBatLoader
Create hunting rule
File size:422'912 bytes
First seen:2024-09-25 05:56:55 UTC
Last seen:2024-09-25 06:18:35 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:/vGw7AQCRQwutWYRrBP5Eof77zUBoLiw:WwZHXtWiBPay7cBe
TLSH T16F9422A075908B0BF06B0AFB38D6C9BF265CFD519FE1C10B7191B35E08397928656B0E
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:cve-2017-0199 DBatLoader xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD0003CB6C/CompObj
517318 bytesMBD0003CB6C/Package
6332 bytesMBD0003CB6D/Ole
7388554 bytesWorkbook
8527 bytes_VBA_PROJECT_CUR/PROJECT
9104 bytes_VBA_PROJECT_CUR/PROJECTwm
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
13985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
142644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
420
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Slip.xls
Verdict:
No threats detected
Analysis date:
2024-09-25 06:11:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae16a807-1f55-4c3a-9f7d-818aa6e54a77

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.93TilInfinity.20240412.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f3a6418aca58c2b2c73335
Tags:
Generic Infostealer Office Heur Macro Micro Tori
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Creating a file
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Connection attempt by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298/results/dashboard
Payload URLs
URL
File name
https://topkale.me/s5mrR5
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
macros
Link:
https://www.filescan.io/uploads/66f3a63b28a6e83e14167458/reports/7f2f0fc5-2b21-45fe-8210-876b64c40f99/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1517841
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Excel sheet contains many unusual embedded objects
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Microsoft Office drops suspicious files
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Equation Editor Network Connection
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517841 Sample: Payment Slip.xls Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 58 topkale.me 2->58 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 22 other signatures 2->78 9 EXCEL.EXE 57 33 2->9         started        signatures3 process4 dnsIp5 60 topkale.me 188.114.97.3, 443, 49161, 49166 CLOUDFLARENETUS European Union 9->60 62 107.175.243.142, 49162, 49169, 49170 AS-COLOCROSSINGUS United States 9->62 42 C:\Users\user\...\Payment Slip.xls (copy), Composite 9->42 dropped 13 audiodg.exe 1 6 9->13         started        18 WINWORD.EXE 345 37 9->18         started        file6 process7 dnsIp8 64 maan2u.com 112.137.173.77, 443, 49171, 49172 TMVADS-APTM-VADSDCHostingMY Malaysia 13->64 44 C:\Users\Public\Qzzgbhha.url, MS 13->44 dropped 46 C:\Users\Public\Libraries\Qzzgbhha, data 13->46 dropped 84 Multi AV Scanner detection for dropped file 13->84 86 Early bird code injection technique detected 13->86 88 Machine Learning detection for dropped file 13->88 96 2 other signatures 13->96 20 cmd.exe 13->20         started        22 esentutl.exe 1 13->22         started        25 colorcpl.exe 13->25         started        66 topkale.me 18->66 68 188.114.96.3, 443, 49164, 49165 CLOUDFLARENETUS European Union 18->68 70 188.114.96.9, 443, 49163, 49168 CLOUDFLARENETUS European Union 18->70 48 C:\Users\user\AppData\...\topkale.me.url, MS 18->48 dropped 50 C:\Users\user\AppData\Roaming\...\s5mrR5.url, MS 18->50 dropped 52 ~WRF{33CBD043-5960...0-5230D51D71E5}.tmp, Composite 18->52 dropped 90 Microsoft Office launches external ms-search protocol handler (WebDAV) 18->90 92 Office viewer loads remote template 18->92 94 Microsoft Office drops suspicious files 18->94 27 EQNEDT32.EXE 12 18->27         started        file9 signatures10 process11 file12 30 esentutl.exe 1 20->30         started        34 esentutl.exe 1 20->34         started        36 C:\Users\Public\Libraries\Qzzgbhha.PIF, PE32 22->36 dropped 38 C:\Users\user\AppData\Roaming\audiodg.exe, PE32 27->38 dropped 40 C:\Users\user\AppData\...\audiodg[1].exe, PE32 27->40 dropped 80 Office equation editor establishes network connection 27->80 82 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 27->82 signatures13 process14 file15 54 C:\Users\Public\alpha.pif, PE32 30->54 dropped 98 Drops PE files to the user root directory 30->98 100 Drops PE files with a suspicious file extension 30->100 102 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 30->102 56 C:\Users\Public\xpha.pif, PE32 34->56 dropped signatures16
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298/
Threat name:
Document-Excel.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2024-09-25 05:57:11 UTC
File Type:
Document
Extracted files:
29
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mcr3vf4mkts4kxr6igxfmx7qloq6p6uwe6ul3yhnw5i2vus7ukma._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/240925-gnlnss1hrb/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Office loads VBA resources, possible macro or embedded object present
Program crash
System Location Discovery: System Language Discovery
Abuses OpenXML format to download file from external location
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8a8fa0e0-15ac-4ccf-b67f-338bb174bcc3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60a3ba978c54e5c55e3e41ae565ff05ba1e7fa9627a8bde0edb751aad25fa298

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments