MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f4aeb9995526d099eba9f227cd9282e2bbd43e190442be3355f07e8b41609a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f4aeb9995526d099eba9f227cd9282e2bbd43e190442be3355f07e8b41609a9
SHA3-384 hash: a9a93d9d276eaee3b1de8cdcdaf6535e8367d493b3759e2944b9fb262ed88b20e81e26af160fae669a211251d583b614
SHA1 hash: ffe598791a743837c0d057a90e4e20f68fe53dda
MD5 hash: eb287c6f84549cb2ed84fb059b989db0
humanhash: white-edward-cola-may
File name:SecuriteInfo.com.W32.Formbook.AA.tr.15627.15839
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'133'056 bytes
First seen:2023-09-18 01:41:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2ad891bcde9025eb987ac7b7c972a6f (2 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
ssdeep 24576:MbrDmg606ige8Nl24myHD6GfZX8H5tav:0tqw
Threatray 27 similar samples on MalwareBazaar
TLSH T164356C24B3426870D036B935CB07A6D4E0EE7DD07E1D58CA51AC7E762AF93A33A1C54B
TrID 50.1% (.EXE) InstallShield setup (43053/19/16)
15.2% (.SCR) Windows screen saver (13097/50/3)
12.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 30828c8c8c864840 (2 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
Reporter SecuriteInfoCom
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449219/
Detection(s):
SecuriteInfo.com.W32.Formbook.AA.tr.15627.15839.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin
Link:
https://www.filescan.io/uploads/6507aaeb49c6a4ce497c0655/reports/ff88d759-143e-4aa7-be95-7389296d5b40/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6f4aeb9995526d099eba9f227cd9282e2bbd43e190442be3355f07e8b41609a9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08dc018a-eb2d-4d08-9cd3-dee07f6c3a64
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309729
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309729 Sample: SecuriteInfo.com.W32.Formbo... Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for URL or domain 2->99 101 6 other signatures 2->101 11 SecuriteInfo.com.W32.Formbook.AA.tr.15627.15839.exe 1 7 2->11         started        16 Fngcidbe.PIF 2->16         started        process3 dnsIp4 69 web.fe.1drv.com 11->69 71 onedrive.live.com 11->71 77 2 other IPs or domains 11->77 59 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->59 dropped 61 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->61 dropped 63 C:\Users\Public\Libraries\Fngcidbe.PIF, PE32 11->63 dropped 125 Drops PE files with a suspicious file extension 11->125 127 Writes to foreign memory regions 11->127 129 Allocates memory in foreign processes 11->129 131 Injects a PE file into a foreign processes 11->131 18 cmd.exe 1 11->18         started        21 colorcpl.exe 2 11->21         started        73 web.fe.1drv.com 16->73 75 onedrive.live.com 16->75 79 2 other IPs or domains 16->79 133 Antivirus detection for dropped file 16->133 135 Multi AV Scanner detection for dropped file 16->135 137 Allocates many large memory junks 16->137 23 SndVol.exe 16->23         started        file5 signatures6 process7 signatures8 103 Uses ping.exe to sleep 18->103 105 Drops executables to the windows directory (C:\Windows) and starts them 18->105 107 Uses ping.exe to check the status of other devices and networks 18->107 25 easinvoker.exe 18->25         started        27 PING.EXE 1 18->27         started        30 xcopy.exe 2 18->30         started        38 8 other processes 18->38 109 Maps a DLL or memory area into another process 21->109 111 Queues an APC in another process (thread injection) 21->111 33 bNIdvNdCKNTunOmKHaNR.exe 21->33 injected 36 bNIdvNdCKNTunOmKHaNR.exe 23->36 injected process9 dnsIp10 40 cmd.exe 1 25->40         started        81 127.0.0.1 unknown unknown 27->81 65 C:\Windows \System32\easinvoker.exe, PE32+ 30->65 dropped 83 www.bigealshine.xyz 199.192.21.122, 49739, 49740, 49741 NAMECHEAP-NETUS United States 33->83 85 www.povfilmfest.com 33->85 87 21 other IPs or domains 33->87 89 Injects code into the Windows Explorer (explorer.exe) 33->89 43 explorer.exe 33->43         started        45 autoconv.exe 33->45         started        91 Maps a DLL or memory area into another process 36->91 47 msiexec.exe 36->47         started        67 C:\Windows \System32\netutils.dll, PE32+ 38->67 dropped file11 signatures12 process13 signatures14 115 Adds a directory exclusion to Windows Defender 40->115 49 cmd.exe 1 40->49         started        52 conhost.exe 40->52         started        117 Tries to steal Mail credentials (via file / registry access) 43->117 119 Tries to harvest and steal browser information (history, passwords, etc) 43->119 121 Maps a DLL or memory area into another process 43->121 123 DLL side loading technique detected 43->123 process15 signatures16 93 Adds a directory exclusion to Windows Defender 49->93 54 powershell.exe 21 49->54         started        process17 signatures18 113 DLL side loading technique detected 54->113 57 conhost.exe 54->57         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f4aeb9995526d099eba9f227cd9282e2bbd43e190442be3355f07e8b41609a9/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-09-17 23:07:05 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
13 of 21 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5foxgmvkjwqthv2t4rhzwjifyv32q7bsbccxyzvl4d6rnawbguq._file
Verdict:
malicious
Similar samples:
54f5267dea7dfa571027e7ec1f9e8518231c8a9baff0cf49e098ecbaf86e051a
DBatLoader
5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b
DBatLoader
7231c553f8e0564923177725ac2c747e54c9c35c951f44abead4859f8083d692
DBatLoader
852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e
DBatLoader
91c7ffd82c5a300a24f5767be8270e6a29467f50db3ac21c80bcba93ce127327
DBatLoader
920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2
DBatLoader
a80244841abcc266e558917b5758808c11aad9703b51de0469639d2f32153abd
DBatLoader
ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458
DBatLoader
f78db900fda53959f9be60c05310fe73bbe076e86b6baa1dac07c3b91aa9daa3
DBatLoader
+ 17 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230918-b4nv7sea4v/
Behaviour
Enumerates system info in registry
Gathers network information
Modifies Internet Explorer settings
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
16a2347f1e4d0ca5b2f998c43c3e5b3b8618c0824cb82a81f0108dab74da8b13
MD5 hash:
720a5cf72a48b2875d423223ac5b02da
SHA1 hash:
e4e9864aef61b32a12bfa396e874d1e7976fff28
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/3a2597f2-6b4c-45a3-8003-f549fe16295e/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/3a2597f2-6b4c-45a3-8003-f549fe16295e/
SH256 hash:
6f4aeb9995526d099eba9f227cd9282e2bbd43e190442be3355f07e8b41609a9
MD5 hash:
eb287c6f84549cb2ed84fb059b989db0
SHA1 hash:
ffe598791a743837c0d057a90e4e20f68fe53dda
Link:
https://www.unpac.me/results/3a2597f2-6b4c-45a3-8003-f549fe16295e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f4aeb999552/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f4aeb9995526d099eba9f227cd9282e2bbd43e190442be3355f07e8b41609a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449219/

Comments