MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b02a89307278de7cbdfa300d7ecd8242e2066c4328ab384814662f7a8b3cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62b02a89307278de7cbdfa300d7ecd8242e2066c4328ab384814662f7a8b3cbb
SHA3-384 hash: ec83435bc169fcb68672c3512993c4fc84ef3023ecfc7682d809a7d0d3d1d0ad6e42b564e3b28730b7bd75eb3896e62d
SHA1 hash: 4e4b8c5f6a84a7629e0fdfdd6c03cfb4252b8632
MD5 hash: 92dda8db95fb68c12ebbe1afd1bc8cfc
humanhash: muppet-earth-delta-india
File name:Aramid, P84, PTFE, PSA Spareparts.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:896'512 bytes
First seen:2022-08-16 22:27:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56fcbf938fcaf605f597e44973bb5c3f (4 x Formbook, 2 x RemcosRAT, 2 x DBatLoader)
ssdeep 24576:VkS1iKn5q5M4y7BAgAiIekzFgYgl8O2XeLoPxl:VkNl5aivAl8fOLoJl
Threatray 1'671 similar samples on MalwareBazaar
TLSH T181159F3BB3914833DA7725788D1B53E05C2ABD1A2D68B4873AE52D2C6F395407B39393
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27d0d8e4d4d8f007 (7 x Formbook, 6 x RemcosRAT, 6 x DBatLoader)
Reporter James_inthe_box
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Aramid, P84, PTFE, PSA Spareparts.exe
Verdict:
Malicious activity
Analysis date:
2022-08-16 08:45:39 UTC
Tags:
trojan rat remcos keylogger
Link:
https://app.any.run/tasks/c62b533f-9b79-4dd4-9222-a6ab77513d45

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299074/
Detection(s):
Sanesecurity.Rogue.0hr.20220816-0934.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AI.Packer.F0A6F58C19.8063.9807.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Setting a keyboard event handler
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29137/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware keylogger
Link:
https://www.filescan.io/uploads/62fc19f62283c2cb350b0ef2/reports/9f22064d-5654-4fce-9bd6-71990998c3a8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ff19b1c-3298-4ae1-935d-d3de8ae6d9f2
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1052586
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 685103 Sample: Aramid, P84, PTFE, PSA Spar... Startdate: 17/08/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 9 other signatures 2->55 6 Aramid, P84, PTFE, PSA Spareparts.exe 1 17 2->6         started        11 Wzpghgokn.exe 14 2->11         started        13 Wzpghgokn.exe 14 2->13         started        process3 dnsIp4 29 utql7a.am.files.1drv.com 6->29 31 onedrive.live.com 6->31 33 am-files.fe.1drv.com 6->33 25 C:\Users\Public\Libraries\Wzpghgokn.exe, PE32 6->25 dropped 27 C:\Users\...\Wzpghgokn.exe:Zone.Identifier, ASCII 6->27 dropped 57 Injects a PE file into a foreign processes 6->57 15 Aramid, P84, PTFE, PSA Spareparts.exe 2 17 6->15         started        35 utql7a.am.files.1drv.com 11->35 39 2 other IPs or domains 11->39 59 Multi AV Scanner detection for dropped file 11->59 61 Delayed program exit found 11->61 19 Wzpghgokn.exe 11->19         started        37 utql7a.am.files.1drv.com 13->37 41 2 other IPs or domains 13->41 21 conhost.exe 13->21         started        23 Wzpghgokn.exe 13->23         started        file5 signatures6 process7 dnsIp8 43 bestsuccess.ddns.net 80.85.153.132, 2442, 49710 CHELYABINSK-SIGNAL-ASRU Russian Federation 15->43 45 geoplugin.net 178.237.33.50, 49711, 80 ATOM86-ASATOM86NL Netherlands 15->45 47 Installs a global keyboard hook 15->47 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62b02a89307278de7cbdfa300d7ecd8242e2066c4328ab384814662f7a8b3cbb/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-15 08:56:00 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkycvcjqoj4n47f57iya27wnqjboebtmimukwocicrtc66ulhs5q._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
04d9ffc7ec20fe6a740721b913247ad7fdd7e5e4b33a11f9ef9bc64bab90a335
DBatLoader
0c3d385c94560cc9fa56c7cab2a5401c37397820956adaa20e5b4fa6422ceb3d
DBatLoader
217bb63194104a743dea34fafc9d8f38c842cde812ec86dfff64b03526bd2d89
DBatLoader
454d090924d15eaeca3540419ccae9ce956e2dc1ff71593971e4112b843f237f
DBatLoader
65cdfaf2f1780649028e28012f826da60bc9c2f2c36ea8239a2378a5abcf083f
DBatLoader
7d237aef354c63c3618c8c8df4718e2c5056edd90702bc77a233944e2c42de9b
DBatLoader
a6abf72d95dac9ba6e6e4b53d9cbcd013846660a18ac5b9eeacb6cd87c783a2c
DBatLoader
aeff864a48f8a0b26b5db70bebd4a437875dd33b3b35b8953ea216ce126c5e1e
DBatLoader
c30d279d37c323a04f669c9912768e2b9f512342bdd4001160c3d22182d7b2a8
DBatLoader
+ 1'661 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:yak persistence rat trojan
Link:
https://tria.ge/reports/220816-2dm44afaaq/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
bestsuccess.ddns.net:2442
Unpacked files
SH256 hash:
1aa0b0480f4a4a41977ee8725c0be025bf8ea30f83696633062d5741af8200af
MD5 hash:
1324549c176999f791dc1b3cb2eb1fc2
SHA1 hash:
11f4e74ba73cda5d6861fa5bf93dc5062a71e98f
Link:
https://www.unpac.me/results/9ccc6d18-ce42-4523-86c7-6f6b1c39d65c/
SH256 hash:
62b02a89307278de7cbdfa300d7ecd8242e2066c4328ab384814662f7a8b3cbb
MD5 hash:
92dda8db95fb68c12ebbe1afd1bc8cfc
SHA1 hash:
4e4b8c5f6a84a7629e0fdfdd6c03cfb4252b8632
Link:
https://www.unpac.me/results/9ccc6d18-ce42-4523-86c7-6f6b1c39d65c/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62b02a893072/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/62b02a89307278de7cbdfa300d7ecd8242e2066c4328ab384814662f7a8b3cbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/299074/

Comments