MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
DBatLoader
Vendor detections: 17
| SHA256 hash: | 7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420 |
|---|---|
| SHA3-384 hash: | 1a45e820aadd32bfced65ad3fe906ac313f66c779dfb1a9e7e918dff62bd4cca7336cc66608b69fe422c7ccc6b4be1d2 |
| SHA1 hash: | a5ee4caf50df0611dffccc21ee7cc12e2fcce6b6 |
| MD5 hash: | 2effcfc08d769d5a45ec793864013d1f |
| humanhash: | pasta-cold-freddie-aspen |
| File name: | Kopija bankovne uplate.exe |
| Download: | download sample |
| Signature | DBatLoader |
| File size: | 2'333'184 bytes |
| First seen: | 2023-11-27 09:20:11 UTC |
| Last seen: | 2023-12-05 07:16:53 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f97d61d6ce4c5700eac63f0c72bb3211 (1 x RemcosRAT, 1 x DBatLoader, 1 x Formbook) |
| ssdeep | 49152:JWPpH8yc0/wU2lpe63ZrxKrVEbRIqiPt41+Fehg1mQmPoE:JCpcyV/wjpdZrxEVEtI14kqnLPoE |
| Threatray | 4 similar samples on MalwareBazaar |
| TLSH | T133B50257D260C837D0BB1B7B8C47B7989A263DD4B968E489F1DA3C44257C24A28361FF |
| TrID | 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.3% (.SCR) Windows screen saver (13097/50/3) 1.4% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| File icon (PE): |  |
| dhash icon | e4e4884953c88c9c (1 x RemcosRAT, 1 x DBatLoader, 1 x Formbook) |
| Reporter |  adrian__luca |
| Tags: | DBatLoader exe |
Intelligence
File Origin
# of uploads :
4
# of downloads :
301
Origin country :
HUVendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
Kopija bankovne uplate.exe
Verdict:
Malicious activity
Analysis date:
2023-11-27 09:29:39 UTC
Tags:
dbatloader formbook xloader stealer spyware
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Result
Verdict:
Clean
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control hook keylogger lolbin overlay packed
Verdict:
Malicious
Labled as:
Trojan.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Verdict:
Malicious
Result
Threat name:
DBatLoader, FormBook
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.ModiLoader
Status:
Malicious
First seen:
2023-11-27 01:12:34 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
21 of 36 (58.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
modiloader
Score:
10/10
Tags:
family:modiloader persistence trojan
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
6ec7781e472a6827c1406a53ed4699407659bd57c33dd4ab51cabfe8ece6f23f
MD5 hash:
4e16693755f49730d0a57eda2f79151b
SHA1 hash:
fbc7d8b01dc2c7d38c4d4d888217d2b59cf9220f
Detections:
win_dbatloader_g1
MALWARE_Win_ModiLoader
Parent samples :
06df9938eb1faaf4c5862a64273998b15201a83e5a46842cd0067a50eb964f4b
3c4cea2018a1d222aef402eff14de46b325024c6d775611817a9723d385f62ed
d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041
6f3940be662f3aee053506bf0e2f4d2aeee6b6d83589fbb5ac09ee1a73aa28a0
abec20fbb427ace85e7ba8b8bc265fd00b8e2499b0667ba621ed1e8a98cc7c1f
a1909ad50f89c221cc9709af3802fdf53a46be8d65f644d5e3968171e8666d69
66c7d769249d9da750ff736b447f0573c7cd5432a680e3a72d09bc1e238e83d1
6d2cdd0db9fefca23ee97cb400ec39012511511846114b3fcaaa633183830e83
8f3abc8783e372932f05def9c6d3270b5d72982115551806a5dac2d8aacc2458
c9ab27133f4ebc51a0fbae315e4e906ccc2579b9fe8d0294b4c5a7ed3de4b2ef
1064606237c6838a948c3ab85b2c95df70c8f85e87958b7e3f9bff9d79e2a645
2335a09e51dc8dd9eadcc23afa908605a0678aa0b0fd46f180e6dd628745a0f2
aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7
0fc367790748591bca8d2d01ba1c189754183cacb4dd76a567e05f0ab45590ee
ae5345f8b351ea82e6d74797baf379bc605c69e079cc5628ab486bf8d4b76b18
2159cbace070eda555164924c4bf646924d95a7dcbc3cf7ab44d2c918d0abe0b
ea5cca67b84c377c1c50e3e978fa2bcf6d178e8ce9cb23971c3304359b23e435
3c049c22293a2ca0d2529b8bf1f8956ca99cf0c428c12eb625b4e8d614e056c0
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa
f52a87f82d672530fb56cb062565ecc0881bd59c71e333895b38c65a9ded043d
7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420
0fda16a373440fc97605138e9d55cc140f75d85fcd3d420ea8df9b87172d51e6
4d227c0a92030e8410260bf84dd992d346d2d4002e7af69e792d3ef84e60f317
c7e18524730d00ad96155cb54beca97cc658f8bd94f736ef7671eadacd3ebee6
1117ea5185a8c16dbc9af96cbb580f5ac55a5f4bc0963e149c83a6c9c35dba7a
3e79d6c84d60f1c6b371cc8f98312a28da7698e4ab225848268356d86c733670
e29e825bc811e65ef2c4281302a05e211d9db7493cbd6f49e3dedef35f9de7af
7dca9d872ff0b85e7914cd56ad409f3ba86f6171225a3627b736768872fb0eff
83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8
e94c8165947e2adda5ffead77a571b43deaa0300f018ea5ba46a7e2567f79e31
6a43bfc4748749a2c40581a802d7be1a8989ef839dbac92467d07e08f1f50796
cd0dd222c7ba110e49ecd0aece6fa2915b5a126fed2fcdae12e114106688bee0
900bac7f4138efd174067bc8738e8357c97e50abe23af40b0d5825db8b55ce29
6d2fc83551518ed142a7b984c38f47b34fe1a2399914b323fa7ad23158a2e0a3
f87b464c12544a35f9a88a5a4d8bd43ec5e792987cf6410e0f10327f407d1af2
7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
1cc7f88b0947e4e27379b47468dd04595e611c550a0ca50954774e32dffbf9ed
5dda711406d96a6019c837f6bda3680943b769e4f0bb3183e8bbc1a54f254c5a
f06d98ed7273a15325adf09f185f1a43ee5c9209d103b203b35632655951a553
b27a99adeed5a49bd7a19f6e894da217dd005d9b709c85e5fa49f55f3932b853
facc6e911089bda494f8266b25d3a9b932494aac786f6fb3efb132f00db3aa29
2673cb78d77db954842c1311a9ecbef666bbf15b0b0058585c4d00f38cf3f225
1de268066bddc4603c3020da1e8868ba238adebe617a34a7ad076a536a6996b4
3efb1782a471373ee59ab78e7ee54c39427f6aa3ab3f40d71b509d5a439166d8
2066d3c19b80a23bb0852d98ba11a5539a5c0ecb148c6a8aa81d028646e92b0f
216f15601add34daf25b908b6e68d4213396e7f7e47c314355527d9eec673963
e14cbebf916fa0be576202a8c7b931a485fb0dafec28402292af1de5991a130b
3c4cea2018a1d222aef402eff14de46b325024c6d775611817a9723d385f62ed
d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041
6f3940be662f3aee053506bf0e2f4d2aeee6b6d83589fbb5ac09ee1a73aa28a0
abec20fbb427ace85e7ba8b8bc265fd00b8e2499b0667ba621ed1e8a98cc7c1f
a1909ad50f89c221cc9709af3802fdf53a46be8d65f644d5e3968171e8666d69
66c7d769249d9da750ff736b447f0573c7cd5432a680e3a72d09bc1e238e83d1
6d2cdd0db9fefca23ee97cb400ec39012511511846114b3fcaaa633183830e83
8f3abc8783e372932f05def9c6d3270b5d72982115551806a5dac2d8aacc2458
c9ab27133f4ebc51a0fbae315e4e906ccc2579b9fe8d0294b4c5a7ed3de4b2ef
1064606237c6838a948c3ab85b2c95df70c8f85e87958b7e3f9bff9d79e2a645
2335a09e51dc8dd9eadcc23afa908605a0678aa0b0fd46f180e6dd628745a0f2
aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7
0fc367790748591bca8d2d01ba1c189754183cacb4dd76a567e05f0ab45590ee
ae5345f8b351ea82e6d74797baf379bc605c69e079cc5628ab486bf8d4b76b18
2159cbace070eda555164924c4bf646924d95a7dcbc3cf7ab44d2c918d0abe0b
ea5cca67b84c377c1c50e3e978fa2bcf6d178e8ce9cb23971c3304359b23e435
3c049c22293a2ca0d2529b8bf1f8956ca99cf0c428c12eb625b4e8d614e056c0
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa
f52a87f82d672530fb56cb062565ecc0881bd59c71e333895b38c65a9ded043d
7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420
0fda16a373440fc97605138e9d55cc140f75d85fcd3d420ea8df9b87172d51e6
4d227c0a92030e8410260bf84dd992d346d2d4002e7af69e792d3ef84e60f317
c7e18524730d00ad96155cb54beca97cc658f8bd94f736ef7671eadacd3ebee6
1117ea5185a8c16dbc9af96cbb580f5ac55a5f4bc0963e149c83a6c9c35dba7a
3e79d6c84d60f1c6b371cc8f98312a28da7698e4ab225848268356d86c733670
e29e825bc811e65ef2c4281302a05e211d9db7493cbd6f49e3dedef35f9de7af
7dca9d872ff0b85e7914cd56ad409f3ba86f6171225a3627b736768872fb0eff
83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8
e94c8165947e2adda5ffead77a571b43deaa0300f018ea5ba46a7e2567f79e31
6a43bfc4748749a2c40581a802d7be1a8989ef839dbac92467d07e08f1f50796
cd0dd222c7ba110e49ecd0aece6fa2915b5a126fed2fcdae12e114106688bee0
900bac7f4138efd174067bc8738e8357c97e50abe23af40b0d5825db8b55ce29
6d2fc83551518ed142a7b984c38f47b34fe1a2399914b323fa7ad23158a2e0a3
f87b464c12544a35f9a88a5a4d8bd43ec5e792987cf6410e0f10327f407d1af2
7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
1cc7f88b0947e4e27379b47468dd04595e611c550a0ca50954774e32dffbf9ed
5dda711406d96a6019c837f6bda3680943b769e4f0bb3183e8bbc1a54f254c5a
f06d98ed7273a15325adf09f185f1a43ee5c9209d103b203b35632655951a553
b27a99adeed5a49bd7a19f6e894da217dd005d9b709c85e5fa49f55f3932b853
facc6e911089bda494f8266b25d3a9b932494aac786f6fb3efb132f00db3aa29
2673cb78d77db954842c1311a9ecbef666bbf15b0b0058585c4d00f38cf3f225
1de268066bddc4603c3020da1e8868ba238adebe617a34a7ad076a536a6996b4
3efb1782a471373ee59ab78e7ee54c39427f6aa3ab3f40d71b509d5a439166d8
2066d3c19b80a23bb0852d98ba11a5539a5c0ecb148c6a8aa81d028646e92b0f
216f15601add34daf25b908b6e68d4213396e7f7e47c314355527d9eec673963
e14cbebf916fa0be576202a8c7b931a485fb0dafec28402292af1de5991a130b
SH256 hash:
dabfa97ef953dda24ddaf1b5eb4168d6d78fbf276f50f3cd8ef3bff67cdbde3e
MD5 hash:
267280af63a6d207b701b5cf35d9b4a1
SHA1 hash:
80f5139691e069bdeeb66866a3168df88a59a8f6
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
SH256 hash:
7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420
MD5 hash:
2effcfc08d769d5a45ec793864013d1f
SHA1 hash:
a5ee4caf50df0611dffccc21ee7cc12e2fcce6b6
Detections:
DbatLoaderStage1
Malware family:
XLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | BobSoftMiniDelphiBoBBobSoft |
|---|---|
| Author: | malware-lu |
| Rule name: | Borland |
|---|---|
| Author: | malware-lu |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.