MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2
SHA3-384 hash: ea2e44b88c2d85d82222092a9054c567fdfed44b36e30df6a31f9e9422e39e67c854eb93bc129302ac7efe25d263b87f
SHA1 hash: e5aaf5f32d145c6af1029e643596f9a6500eaef8
MD5 hash: eacd050015d7069e8988d57e67d2d7ba
humanhash: eight-beer-princess-vegan
File name:Document.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:859'136 bytes
First seen:2022-01-20 12:11:49 UTC
Last seen:2022-01-20 13:45:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 91de5b52d8bb7ad58cc9d7384c309dcb (1 x BitRAT, 1 x DBatLoader)
ssdeep 12288:cvy7FkT7dEN/x9ADy2P/JQgfKKviABe4RX4tKa/B1HoGW7T3bnvwZ:iuF+dENZ9ADy26cKKqAU8XranXKT7v
Threatray 1'490 similar samples on MalwareBazaar
TLSH T11C05B023B2A08537D02B0B788C6A97ED6515BF112F58F88776E4BD4C1F39240B52AED7
File icon (PE):PE icon
dhash icon 7cf6b6aa8ed8e8b4 (18 x Formbook, 8 x DBatLoader, 7 x AveMariaRAT)
Reporter madjack_red
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221079/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.34952.27478.2991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4921/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed
Link:
https://www.filescan.io/uploads/61e9519a0f8c757253d07141/reports/b4047249-5519-49c6-9fad-dd4352d83c89/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/336fdb4b-1c3f-40ff-a0a1-154c2bcc5bf2
Result
Threat name:
Remcos DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924315
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Detected Remcos RAT
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556789 Sample: Document.exe Startdate: 20/01/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 9 other signatures 2->57 6 Document.exe 1 19 2->6         started        11 Eqzqrpycnc.exe 16 2->11         started        13 Eqzqrpycnc.exe 16 2->13         started        process3 dnsIp4 27 192.168.2.1 unknown unknown 6->27 29 onedrive.live.com 6->29 35 2 other IPs or domains 6->35 23 C:\Users\user\Contactsqzqrpycnc.exe, PE32 6->23 dropped 25 C:\Users\...qzqrpycnc.exe:Zone.Identifier, ASCII 6->25 dropped 59 Writes to foreign memory regions 6->59 61 Creates a thread in another existing process (thread injection) 6->61 63 Injects a PE file into a foreign processes 6->63 15 DpiScaling.exe 2 3 6->15         started        31 onedrive.live.com 11->31 37 2 other IPs or domains 11->37 65 Antivirus detection for dropped file 11->65 67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 19 DpiScaling.exe 11->19         started        33 onedrive.live.com 13->33 39 2 other IPs or domains 13->39 71 Allocates memory in foreign processes 13->71 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 41 generem.hopto.org 104.215.112.107, 2404, 49774 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->41 43 Contains functionality to steal Chrome passwords or cookies 15->43 45 Contains functionality to inject code into remote processes 15->45 47 Contains functionality to steal Firefox passwords or cookies 15->47 49 Delayed program exit found 15->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 12:12:16 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=naa6ollw4ijr76i2ilqfj7opgtymajhcaoy6gff657un5zzuvtza._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
3a7a42d1cb828cdb0f1ea382a8859052b7862414cdb3a5e2d623e922d4d00485
DBatLoader
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81
DBatLoader
57e117773ebe7caaac7d1db9759f5c8313d15db896f7b736459c65164770a5f5
DBatLoader
65c55c73382e84ea8a229ba4c65ce12c956b3e86916e343ed6e933a10735e9b1
DBatLoader
c6d5c5389f6a7d7fadca1c538b5408898454aaf5011910e90549e81fb03c0a1c
DBatLoader
ef6a74a99e6f3945eda8bd082a0adbcc2df584aff03838ed1b5face974a4a6b7
DBatLoader
+ 1'480 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost persistence rat
Link:
https://tria.ge/reports/220120-pc7qwshhf3/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
Remcos
Malware Config
C2 Extraction:
generem.hopto.org:2404
generem1.hopto.org:2404
hendersonk.hopto.org:2404
hendersonk1.hopto.org:2404
gene.ddnsgeek.com:2404
henderson.camdvr.org:2404
henderson1.camdvr.org:2404
Unpacked files
SH256 hash:
178ab3315a2bc29e61be0eb6b83970cf622588ca90ce0905e6c2138630163905
MD5 hash:
8f8384a01bbffb026083df6001364525
SHA1 hash:
6c448d033354841722b7c2807f0ee9e9831ddbe4
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/b65dba22-ffac-4e30-8963-66594fd5d272/
Parent samples :
5373c20a65136de3e43b1e86b9fa37baff682541089164b4be57318bb9a52291
a7017af2c60c1c5bc06d07f88e12d3b471a8787e233969d92ac6048d303cd682
1c031e5ad00a53c0138ec05e36045979a920dfabeed6751292c59b695af80291
6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2
69c7e7d8730b4998b848f2731fa5b3db7783c390d23daebb00e02cbc5a53205e
112bdfee4547b7d7d8cb4fdc7a47021a17e164441ca10f4177bcf9980a46d89c
SH256 hash:
6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2
MD5 hash:
eacd050015d7069e8988d57e67d2d7ba
SHA1 hash:
e5aaf5f32d145c6af1029e643596f9a6500eaef8
Link:
https://www.unpac.me/results/b65dba22-ffac-4e30-8963-66594fd5d272/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6801e72d76e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6801e72d76e2131ff91a42e054fdcf34f0c024e203b1e314beefe8dee734acf2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221079/

Comments