MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63946c04c77ccb8f6f48057f0cd4495f7751192b0016c99669a0b6aea330d538. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63946c04c77ccb8f6f48057f0cd4495f7751192b0016c99669a0b6aea330d538
SHA3-384 hash: f9d11be3ba5f012075c284ad424376ba81ece1c86a1b08eecdaaab83376c8cda2f690502d0166e773bfec2480cf7aea9
SHA1 hash: f2a6b9d2a830e01b36d45a1087d923c7bb8c0f49
MD5 hash: 1ea8b1152c0eea8488fbda14be5345fe
humanhash: hydrogen-moon-high-pip
File name:SecuriteInfo.com.Trojan.DownLoader46.2645.9739.27992
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'244'160 bytes
First seen:2023-09-06 14:32:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash beefa6546dd4570bf21020f1082d8b97 (2 x RemcosRAT, 1 x DBatLoader, 1 x Formbook)
ssdeep 24576:ORTaL+A2f8Zhp8bYm1EnyWjkf0eFuPD+4m:gTaKsh
Threatray 10 similar samples on MalwareBazaar
TLSH T148456CE2A358DC72F46A3579C849B2C0392A7DED693E9CCD526C79491A73761382C03F
TrID 54.3% (.EXE) InstallShield setup (43053/19/16)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.EXE) Win32 Executable (generic) (4505/5/1)
2.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 60e094e28484a0cc (2 x RemcosRAT, 1 x DBatLoader, 1 x Formbook)
Reporter SecuriteInfoCom
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader46.2645.9739.27992
Verdict:
Malicious activity
Analysis date:
2023-09-06 14:33:04 UTC
Tags:
installer dbatloader formbook xloader trojan stealer spyware
Link:
https://app.any.run/tasks/b737b5ef-febf-4476-84e9-2365375b2e7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446647/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.2645.9739.27992.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Creating a file
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay replace
Link:
https://www.filescan.io/uploads/64f88da131c991f8dc087430/reports/1be31d93-98af-4ef2-8ff6-c9d690cc1836/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/63946c04c77ccb8f6f48057f0cd4495f7751192b0016c99669a0b6aea330d538
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c61e9da-47cc-4843-9049-9f319078d3c1
Result
Threat name:
FormBook, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304468
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1304468 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 06/09/2023 Architecture: WINDOWS Score: 100 44 www.hcwoodpanel.com 2->44 46 www.a2zglobalimports.com 2->46 48 5 other IPs or domains 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 7 other signatures 2->56 11 SecuriteInfo.com.Trojan.DownLoader46.2645.9739.27992.exe 1 2 2->11         started        signatures3 process4 file5 42 C:\Users\Public\Libraries\Scdydexc.PIF, PE32 11->42 dropped 72 Drops PE files with a suspicious file extension 11->72 74 Writes to foreign memory regions 11->74 76 Allocates memory in foreign processes 11->76 78 Injects a PE file into a foreign processes 11->78 15 colorcpl.exe 2 11->15         started        signatures6 process7 signatures8 80 Modifies the context of a thread in another process (thread injection) 15->80 82 Maps a DLL or memory area into another process 15->82 84 Sample uses process hollowing technique 15->84 86 2 other signatures 15->86 18 explorer.exe 10 4 15->18 injected process9 process10 20 wscript.exe 18 18->20         started        24 Scdydexc.PIF 18->24         started        file11 36 C:\Users\user\AppData\...\8N3logrv.ini, data 20->36 dropped 38 C:\Users\user\AppData\...\8N3logri.ini, data 20->38 dropped 58 Detected FormBook malware 20->58 60 Tries to steal Mail credentials (via file / registry access) 20->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->62 68 6 other signatures 20->68 26 cmd.exe 2 20->26         started        30 firefox.exe 20->30         started        64 Multi AV Scanner detection for dropped file 24->64 66 Machine Learning detection for dropped file 24->66 32 colorcpl.exe 24->32         started        signatures12 process13 file14 40 C:\Users\user\AppData\Local\Temp\DB1, SQLite 26->40 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 26->70 34 conhost.exe 26->34         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63946c04c77ccb8f6f48057f0cd4495f7751192b0016c99669a0b6aea330d538/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-09-05 16:05:32 UTC
File Type:
PE (Exe)
Extracted files:
106
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mokgybghptfy632iav7qzvcjl53vcgjlaalmtftjuc3k5izq2u4a._file
Verdict:
malicious
Similar samples:
287a8c784bc439337cd063735d6941eb0a40f2a9137b085bb86dd8d4aa14fcc9
DBatLoader
3074b7ebb1cf86d43eb65ab8fdf650cfc5055c79ec91b2b685d74b7f244d39fb
DBatLoader
33ca9923e204fe49ca08062c7799a0edd936be726f89e661756e058677eb4a96
DBatLoader
46b90babfe4fa66ac9938280e0c884b0d490a34071bd29b846a2aa0c7a89e265
DBatLoader
56a3dc5c90ade897e349ba0fd0433770dcdda32b5bd2a1c6608b2af2f9b34c05
DBatLoader
8be7eccf75282dc9c49fb20b4c7a500cf4fcd2e5401892dea640f0fd0663524e
DBatLoader
8fa3e79856319c3ac7ff04639dcdbaec1ec7ce8c92e4a7aca8637751c84a247b
DBatLoader
c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d
DBatLoader
d3f1d0c0e37e33ad600d209bd43d61a3e94b6bd2a5d87b63c53184d070ee1680
DBatLoader
ec2a93fc951dac56dd988691db138c94ea8cbd477127bf95c2a9483f602d6b1e
DBatLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:kmge persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/230906-rwvlsagc3s/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
caff55091f9f21cc5b5b4df4f691831c5133fdcfe683d463bfe5d505c674d6c5
MD5 hash:
422da326ae51bb66f16f04315a229988
SHA1 hash:
4dc32ab1248b9eba70b105c72e4053892927ff0f
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/5cd2be9e-b055-40a4-8c46-be7269f4eab9/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/5cd2be9e-b055-40a4-8c46-be7269f4eab9/
SH256 hash:
63946c04c77ccb8f6f48057f0cd4495f7751192b0016c99669a0b6aea330d538
MD5 hash:
1ea8b1152c0eea8488fbda14be5345fe
SHA1 hash:
f2a6b9d2a830e01b36d45a1087d923c7bb8c0f49
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/5cd2be9e-b055-40a4-8c46-be7269f4eab9/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63946c04c77c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63946c04c77ccb8f6f48057f0cd4495f7751192b0016c99669a0b6aea330d538

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446647/

Comments