MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 18


Maldoc score: 9


Intelligence 18 IOCs YARA 14 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6
SHA3-384 hash: bd2d781575e24934a70a6e907307011b86cf6a4ec06965e9540e5836ec55c58c2221ffa213c29ee2e91707f425f7488b
SHA1 hash: d28a9b69142b6686bcf56190d4a85f8535b4e9ee
MD5 hash: 764f342945fa7d3b6448ebaee545fe9f
humanhash: bluebird-stream-lactose-tennessee
File name:Project Documents (Drawings, Specifications,BOQ, P.O).xls
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'759'232 bytes
First seen:2025-10-14 11:18:29 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:fr3V6+OX3rYH5jU9yToKEUmFllWdKpwWkdB+HS4mJoPvImpZ9gDaZQI0VfClkcd/:TQ5bMklwIIr/mpcY0VcNd/
TLSH T10885E040FF90AA5AC52843358AEB67666331FC1157970B0B334CB3163EB22E86E575DE
TrID 34.9% (.XLS) Microsoft Excel sheet (32500/1/3)
30.1% (.XLS) Microsoft Excel sheet (alternate) (28000/1/3)
26.3% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
8.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:cve-2017-0199 DBatLoader xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
Application name is Microsoft Excel
File Format is MS Excel 97-2003
Container Format is OLE
Office document is in encrypted
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 27 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
4114 bytesMBD00517975/CompObj
5348 bytesMBD00517975/DocumentSummaryInformation
629036 bytesMBD00517975/SummaryInformation
799 bytesMBD00517975/MBD001D4CE1/CompObj
811214 bytesMBD00517975/MBD001D4CE1/Package
9114 bytesMBD00517975/MBD001D5548/CompObj
10194425 bytesMBD00517975/MBD001D5548/Package
1194 bytesMBD00517975/MBD001D5984/CompObj
1220 bytesMBD00517975/MBD001D5984/Ole
13171554 bytesMBD00517975/MBD001D5984/CONTENTS
1494 bytesMBD00517975/MBD001D5CD6/CompObj
1520 bytesMBD00517975/MBD001D5CD6/Ole
16459502 bytesMBD00517975/MBD001D5CD6/CONTENTS
17504520 bytesMBD00517975/Workbook
18596 bytesMBD00517976/Ole
19356678 bytesWorkbook
20529 bytes_VBA_PROJECT_CUR/PROJECT
21104 bytes_VBA_PROJECT_CUR/PROJECTwm
22977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
23977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
24977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
25985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
262644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
27553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may beused to obfuscate strings (option --decode tosee all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Project Documents (Drawings, Specifications,BOQ, P.O).xls
Verdict:
No threats detected
Analysis date:
2025-10-14 11:23:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf19fcad-4b9b-4849-ba5b-f248d92d179a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32675/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee31a004e22ce9acd9ed71
Tags:
office macro micro
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Connection attempt to an infection source by exploiting the app vulnerability
Sending a TCP request to an infection source by exploiting the app vulnerability
Сreating synchronization primitives
Query of malicious DNS domain
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6/results/dashboard
Payload URLs
URL
File name
https://link.takusuki.com/MwayEC
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
macros threat
Link:
https://www.filescan.io/uploads/68ee31e94f3013c55e4d42b5/reports/0a7e389a-7708-4160-922f-c83805c36c65/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6
Label:
Malicious
Suspicious Score:
10/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=28389f1e-9b8e-4e4c-a285-f80ba7168413
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6
Verdict:
Malicious
File Type:
xls
First seen:
2025-10-14T07:21:00Z UTC
Last seen:
2025-10-16T09:21:00Z UTC
Hits:
~100
Detections:
VHO:Trojan-PSW.Win32.Stealer.gen Trojan-Downloader.MSOffice.SLoad.sb HEUR:Exploit.MSOffice.Generic Exploit.MSOffice.CVE-2017-11882.sb HEUR:Exploit.MSOffice.CVE-2017-11882.g HEUR:Trojan-PSW.Win32.DarkCloud.gen Trojan-Downloader.Win32.Agent.sb Trojan.Win32.Shelma.sb HEUR:Exploit.MSOffice.CVE-2018-0802.gen HEUR:Exploit.MSOffice.CVE-2017-0199.w Exploit.MSOffice.CVE-2018-0802.b HEUR:Trojan.Script.Generic Trojan.Win32.Shellcode.sb Trojan-Downloader.Agent.HTTP.C&C Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Generic Trojan-Dropper.Win32.Dorifel.sbd HEUR:Trojan-Downloader.MSOffice.SLoad.gen
Link:
https://opentip.kaspersky.com/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1794740
Signature
Antivirus detection for URL or domain
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6
Verdict:
Malware
YARA:
7 match(es)
Tags:
Corrupted Office Document
Link:
https://app.malva.re/file/764f342945fa7d3b6448ebaee545fe9f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6/
Verdict:
Malicious
Threat:
Exploit.MSOffice.CVE-2017-11882
Link:
https://tip.neiki.dev/file/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6
Threat name:
Document-Office.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 10:22:45 UTC
File Type:
Document
Extracted files:
94
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndspl6siuqyuoykltxwrfarmgnbnipdhvtba3wrlmxsfx4supl3a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
error
DBatLoader
Result
Malware family:
n/a
Score:
  1/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/251014-nfc51s1qw2/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fc978409-09b4-4e97-ba41-51a69ea8f11e
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/68e4f5fa48a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:XLS_STRINGS
Create hunting rule
Author:somedieyoungZZ
Description:Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32675/

Comments


Avatar
commented on 2025-10-16 06:19:18 UTC

Payload URL:
https://link.takusuki.com/MwayEC