MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777
SHA3-384 hash:	748a238e9c79fb31898119c5c84e50ac9b3bedc4d649eb1e683e98e804863e7d3ec10f92cf0cabdbf7b04c4df0d8bfbb
SHA1 hash:	eeee14bb8c6477988b4a8da8583e32d45c4cd7ab
MD5 hash:	e159bdacc804fecd859ee4751c654052
humanhash:	tennessee-wolfram-johnny-glucose
File name:	Znokqyctuubnie.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	2'774'016 bytes
First seen:	2024-01-22 09:50:00 UTC
Last seen:	2024-01-23 11:43:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	02e3ebe88b2a6296bb4b034e0bd03814 (4 x DBatLoader, 1 x RemcosRAT)
ssdeep	49152:xDWu2Avcfk5wAQaEOsA7M0enZFOZrABL:xyu9uFI0x
TLSH	T1C3D5BE014F7CB8B2FCD4C936CE677364AB657E31AD60899232A978DCD976E9D702C012
TrID	36.1% (.SCR) Windows screen saver (13097/50/3) 29.0% (.EXE) Win64 Executable (generic) (10523/12/4) 12.4% (.EXE) Win32 Executable (generic) (4505/5/1) 5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	111cfc60abb56b15 (4 x DBatLoader, 1 x RemcosRAT)
Reporter	abuse_ch
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777.exe

Verdict:

Malicious activity

Analysis date:

2024-01-22 09:54:48 UTC

Tags:

dbatloader

Link:

https://app.any.run/tasks/c494024f-8a04-4384-9203-14d27739ffd3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

ModiLoader

Link:

https://www.capesandbox.com/analysis/472233/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.27795.5245.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint hook keylogger packed

Link:

https://www.filescan.io/uploads/65ae3a4b3b46cfd29c177dc3/reports/8ae7b746-6115-401b-8d62-32d685f5ded3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dae06ecf-2d0e-4c70-998a-dc0b91d7e99e

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1378610

Signature

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777/

Threat name:

Win32.Trojan.ModiLoader

Status:

Malicious

First seen:

2024-01-22 08:23:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4pyv6nmypwfgsbbwh6qdddxe3nkenpcdxyqsimtavwzlp5vi53q._file

Verdict:

unknown

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/240122-ltx18seaa5/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

Program crash

ModiLoader Second Stage

ModiLoader, DBatLoader

Gathering data

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/671f8af9acc3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

exe 671f8af9acc3ec534821b1fd018c7726daa235e21df1092193056d95bfb54777

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/472233/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample