MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
SHA3-384 hash: 457707f4b4c2037969889bf36f690566fea7456c4d147c756ff02e12cbadc18038f91f78bb9a6301207013714a871f66
SHA1 hash: 99c8a0db1608b7f3fe783829f13a6a594554f142
MD5 hash: 8e60c68e832622b0ebd88a612898a9f9
humanhash: comet-beer-timing-india
File name:Yeni siparişi onaylayın - TK176H,pdf.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:901'632 bytes
First seen:2022-06-26 07:36:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5280055d457e9ca268949d0a6c7d827a (2 x RemcosRAT, 1 x DBatLoader)
ssdeep 12288:VFAa/jmra7RB+8VL4sckZIRDrtQXLgL7f/Bm+vym2/r3Ayd3soZdKYcSwuY:jV6rk1VL4oIRD6bgXXtvHy1XKly
Threatray 3'561 similar samples on MalwareBazaar
TLSH T1FB159E25F6C04437C5F21D755C4BA2A59837BF112E2CAC866BE53E4D3F3AA81382D297
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 74f08889868e88b4 (13 x RemcosRAT, 4 x AveMariaRAT, 2 x ModiLoader)
Reporter abuse_ch
Tags:DBatLoader exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283297/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62b80c7d78c728351893543a/reports/d804e31f-9cac-4a1d-9afb-7528fc12ad37/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0cec59ee-e765-4a73-81a6-01a47cb8a46f
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019894
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Detected Remcos RAT
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652390 Sample: Yeni sipari#U015fi onaylay#... Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 6 Yeni sipari#U015fi onaylay#U0131n - TK176H,pdf.exe 1 17 2->6         started        11 Eluiezilfw.exe 13 2->11         started        13 Eluiezilfw.exe 13 2->13         started        process3 dnsIp4 27 cdn.discordapp.com 162.159.130.233, 443, 49716, 49719 CLOUDFLARENETUS United States 6->27 29 192.168.2.1 unknown unknown 6->29 23 C:\Users\Public\Librariesluiezilfw.exe, PE32 6->23 dropped 25 C:\Users\...luiezilfw.exe:Zone.Identifier, ASCII 6->25 dropped 53 Writes to foreign memory regions 6->53 55 Allocates memory in foreign processes 6->55 57 Creates a thread in another existing process (thread injection) 6->57 15 logagent.exe 2 6->15         started        31 162.159.133.233, 443, 49745 CLOUDFLARENETUS United States 11->31 59 Multi AV Scanner detection for dropped file 11->59 61 Injects a PE file into a foreign processes 11->61 19 logagent.exe 11->19         started        33 162.159.134.233, 443, 49751 CLOUDFLARENETUS United States 13->33 21 DpiScaling.exe 13->21         started        file5 signatures6 process7 dnsIp8 35 blessmyhustlelord.ddns.net 37.0.14.195, 49746, 49747, 49749 WKD-ASIE Netherlands 15->35 37 Contains functionalty to change the wallpaper 15->37 39 Found stalling execution ending in API Sleep call 15->39 41 Contains functionality to steal Chrome passwords or cookies 15->41 43 4 other signatures 15->43 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-06-26 06:44:11 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5dcrwyu3xh7pd23bljmml3hshslfgib5oppri3inivxagjqrkmq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
15170d0dbe467efc4e38156ed4e03702ae19af44c100d7df7a75c6dbdb7ac587
DBatLoader
4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d
DBatLoader
628714308e23fcb40095b63c6822b08f8a9b90de2ac290ff1e8e01b6ccde1568
DBatLoader
83f54b46a10ce36ac80d885c29cbf1c88c65250163961193916123c282d36784
DBatLoader
84a066f7294211d47a88b38b0ad9ff2f0e385973c4a3b92b39b2df25e178aca8
DBatLoader
8a76f76aa6af2cb9a5a30d6bf09722e2fcdb1555c253a15f798529f5ccb5de1d
DBatLoader
b5734fe9e898335433674437790e741440b75c6a749ceb7455555c88303daedc
DBatLoader
bfa4daa95a303253a45cc02597d1fa404168fb88e627dc3afa4b3548a6ff893d
DBatLoader
e7c74f89332dcf4bf0ebaa50d960a8c82a521ca2c9608ecbb13e719e9744b5ca
DBatLoader
fa3e1ea5a814915ffc65b8a94180aedccf3140f515f05737f3017d6ab6f10b89
DBatLoader
+ 3'551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220626-jfs41sabfp/
Unpacked files
SH256 hash:
76072a18d2f85aeed4d750fe61cb2a2ac1105a41c2b0f0f7b0f23199b9206e2a
MD5 hash:
f6dd1f98fc62a2bbeed6d72ffe0dfad6
SHA1 hash:
f604ab4384fadc77ff25b182f718c2fb07f7ea68
Link:
https://www.unpac.me/results/27ea1ff7-9f25-478d-8cdb-275be3b3feac/
SH256 hash:
5706bb1ba583dd0882a40722848d0d5e7d42086b6ffcfbf1871c389b8d200f63
MD5 hash:
655c262bb5ac608239e26a3ba270b383
SHA1 hash:
86e3f1cd4e5e1692527e871646cbc2cc7a674f31
Link:
https://www.unpac.me/results/27ea1ff7-9f25-478d-8cdb-275be3b3feac/
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/27ea1ff7-9f25-478d-8cdb-275be3b3feac/
SH256 hash:
6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99
MD5 hash:
8e60c68e832622b0ebd88a612898a9f9
SHA1 hash:
99c8a0db1608b7f3fe783829f13a6a594554f142
Link:
https://www.unpac.me/results/27ea1ff7-9f25-478d-8cdb-275be3b3feac/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f4628db14dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 6f4628db14ddcff78f5b0ad2c62f6791e4b29901eb9ef8a3686a2b7019308a99

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/283297/

Comments