MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
SHA3-384 hash: 7dc960e2aa97f2221bbadd9e926e56f206931ff1dfa1c1ddf1fa3bc4e7c4ab9cd5d4e2e54437d699e112b8d4a1860bff
SHA1 hash: ab22fb90604c58e206bc3bc0c33c0b5768db6fcf
MD5 hash: 04c891b9979e4852e90c8c061473058c
humanhash: september-massachusetts-potato-virginia
File name:534353667789.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'099'776 bytes
First seen:2023-12-11 14:05:57 UTC
Last seen:2023-12-11 15:36:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9791c0d53a83638fe45c2b8265bb591 (4 x DBatLoader, 1 x Formbook, 1 x RemcosRAT)
ssdeep 24576:0it4uJtHL/PkgSAq5dRHBez6oONXEef2sS5OnYi:0iWiH7P85fsz6oM2mn/
Threatray 20 similar samples on MalwareBazaar
TLSH T19435ADB2B7F11936C1214A3CDF5B15A8981E7C316D941C02C2953F589EB4A7E28FE1AF
TrID 86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.3% (.SCR) Windows screen saver (13097/50/3)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon c585ababa3ababab (4 x DBatLoader, 1 x Formbook, 1 x RemcosRAT)
Reporter malwarelabnet
Tags:DBatLoader exe FormBook ModiLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
534353667789.exe
Verdict:
Malicious activity
Analysis date:
2023-12-11 15:18:08 UTC
Tags:
dbatloader formbook xloader
Link:
https://app.any.run/tasks/a34ac8a5-5685-47f4-b977-b1c0ce7ffe4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/465267/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.38859.5774.6406.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Launching a process
Creating a process with a hidden window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control hook keylogger lolbin overlay
Link:
https://www.filescan.io/uploads/65771b34da3178d99ce1761e/reports/a83081c9-2451-4cc0-a12c-38c92e5312bb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e7682cb-d4c5-4bf0-9e4e-3ed367a6f363
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1359968
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1359968 Sample: 534353667789.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 42 www.ycth3hhtkd.asia 2->42 44 www.portfoliotestkitchen.com 2->44 46 14 other IPs or domains 2->46 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 7 other signatures 2->60 11 534353667789.exe 1 2 2->11         started        signatures3 process4 file5 40 C:\Users\Public\Libraries\Vkxxtlgy.PIF, PE32 11->40 dropped 82 Drops PE files with a suspicious file extension 11->82 84 Writes to foreign memory regions 11->84 86 Allocates memory in foreign processes 11->86 88 2 other signatures 11->88 15 SndVol.exe 11->15         started        signatures6 process7 signatures8 90 Modifies the context of a thread in another process (thread injection) 15->90 92 Maps a DLL or memory area into another process 15->92 94 Sample uses process hollowing technique 15->94 96 2 other signatures 15->96 18 explorer.exe 13 4 15->18 injected process9 dnsIp10 48 www.hivaom.top 156.237.159.158, 49761, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 18->48 50 www.enfejbazi1sjrttrsjegfwafe.click 104.21.33.12, 49769, 80 CLOUDFLARENETUS United States 18->50 52 5 other IPs or domains 18->52 62 System process connects to network (likely due to code injection or exploit) 18->62 22 Vkxxtlgy.PIF 18->22         started        25 Vkxxtlgy.PIF 18->25         started        27 WWAHost.exe 18->27         started        29 2 other processes 18->29 signatures11 process12 signatures13 64 Antivirus detection for dropped file 22->64 66 Machine Learning detection for dropped file 22->66 68 Writes to foreign memory regions 22->68 31 SndVol.exe 22->31         started        70 Allocates memory in foreign processes 25->70 72 Allocates many large memory junks 25->72 74 Injects a PE file into a foreign processes 25->74 34 colorcpl.exe 25->34         started        76 Modifies the context of a thread in another process (thread injection) 27->76 78 Maps a DLL or memory area into another process 27->78 80 Tries to detect virtualization through RDTSC time measurements 27->80 36 cmd.exe 1 27->36         started        process14 signatures15 98 Modifies the context of a thread in another process (thread injection) 34->98 100 Maps a DLL or memory area into another process 34->100 102 Sample uses process hollowing technique 34->102 104 Tries to detect virtualization through RDTSC time measurements 34->104 38 conhost.exe 36->38         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 09:23:30 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooc6fdx23x4ij6l34wwbpcqf2xdoki5gc25cbgabeeafikh6g5sq._file
Verdict:
malicious
Similar samples:
4329c26bb2edcc3b71fc793876133c57a1c0349f5cf8e84e99485c1b7250c5a6
DBatLoader
66c7d769249d9da750ff736b447f0573c7cd5432a680e3a72d09bc1e238e83d1
DBatLoader
6a43bfc4748749a2c40581a802d7be1a8989ef839dbac92467d07e08f1f50796
DBatLoader
900bac7f4138efd174067bc8738e8357c97e50abe23af40b0d5825db8b55ce29
DBatLoader
cd0dd222c7ba110e49ecd0aece6fa2915b5a126fed2fcdae12e114106688bee0
DBatLoader
e94c8165947e2adda5ffead77a571b43deaa0300f018ea5ba46a7e2567f79e31
DBatLoader
+ 10 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:modiloader campaign:ao65 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231211-rld62sacg3/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook payload
ModiLoader Second Stage
Formbook
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
6ec7781e472a6827c1406a53ed4699407659bd57c33dd4ab51cabfe8ece6f23f
MD5 hash:
4e16693755f49730d0a57eda2f79151b
SHA1 hash:
fbc7d8b01dc2c7d38c4d4d888217d2b59cf9220f
Detections:
win_dbatloader_g1
Create hunting rule
MALWARE_Win_ModiLoader
Create hunting rule
Link:
https://www.unpac.me/results/ed654423-e823-4878-8c60-f5d85ba31fe8/
Parent samples :
06df9938eb1faaf4c5862a64273998b15201a83e5a46842cd0067a50eb964f4b
3c4cea2018a1d222aef402eff14de46b325024c6d775611817a9723d385f62ed
d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041
6f3940be662f3aee053506bf0e2f4d2aeee6b6d83589fbb5ac09ee1a73aa28a0
abec20fbb427ace85e7ba8b8bc265fd00b8e2499b0667ba621ed1e8a98cc7c1f
a1909ad50f89c221cc9709af3802fdf53a46be8d65f644d5e3968171e8666d69
66c7d769249d9da750ff736b447f0573c7cd5432a680e3a72d09bc1e238e83d1
6d2cdd0db9fefca23ee97cb400ec39012511511846114b3fcaaa633183830e83
8f3abc8783e372932f05def9c6d3270b5d72982115551806a5dac2d8aacc2458
c9ab27133f4ebc51a0fbae315e4e906ccc2579b9fe8d0294b4c5a7ed3de4b2ef
1064606237c6838a948c3ab85b2c95df70c8f85e87958b7e3f9bff9d79e2a645
2335a09e51dc8dd9eadcc23afa908605a0678aa0b0fd46f180e6dd628745a0f2
aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7
0fc367790748591bca8d2d01ba1c189754183cacb4dd76a567e05f0ab45590ee
ae5345f8b351ea82e6d74797baf379bc605c69e079cc5628ab486bf8d4b76b18
2159cbace070eda555164924c4bf646924d95a7dcbc3cf7ab44d2c918d0abe0b
ea5cca67b84c377c1c50e3e978fa2bcf6d178e8ce9cb23971c3304359b23e435
3c049c22293a2ca0d2529b8bf1f8956ca99cf0c428c12eb625b4e8d614e056c0
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa
f52a87f82d672530fb56cb062565ecc0881bd59c71e333895b38c65a9ded043d
7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420
0fda16a373440fc97605138e9d55cc140f75d85fcd3d420ea8df9b87172d51e6
4d227c0a92030e8410260bf84dd992d346d2d4002e7af69e792d3ef84e60f317
c7e18524730d00ad96155cb54beca97cc658f8bd94f736ef7671eadacd3ebee6
1117ea5185a8c16dbc9af96cbb580f5ac55a5f4bc0963e149c83a6c9c35dba7a
3e79d6c84d60f1c6b371cc8f98312a28da7698e4ab225848268356d86c733670
e29e825bc811e65ef2c4281302a05e211d9db7493cbd6f49e3dedef35f9de7af
7dca9d872ff0b85e7914cd56ad409f3ba86f6171225a3627b736768872fb0eff
83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8
e94c8165947e2adda5ffead77a571b43deaa0300f018ea5ba46a7e2567f79e31
6a43bfc4748749a2c40581a802d7be1a8989ef839dbac92467d07e08f1f50796
cd0dd222c7ba110e49ecd0aece6fa2915b5a126fed2fcdae12e114106688bee0
900bac7f4138efd174067bc8738e8357c97e50abe23af40b0d5825db8b55ce29
6d2fc83551518ed142a7b984c38f47b34fe1a2399914b323fa7ad23158a2e0a3
f87b464c12544a35f9a88a5a4d8bd43ec5e792987cf6410e0f10327f407d1af2
7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
1cc7f88b0947e4e27379b47468dd04595e611c550a0ca50954774e32dffbf9ed
5dda711406d96a6019c837f6bda3680943b769e4f0bb3183e8bbc1a54f254c5a
f06d98ed7273a15325adf09f185f1a43ee5c9209d103b203b35632655951a553
b27a99adeed5a49bd7a19f6e894da217dd005d9b709c85e5fa49f55f3932b853
facc6e911089bda494f8266b25d3a9b932494aac786f6fb3efb132f00db3aa29
2673cb78d77db954842c1311a9ecbef666bbf15b0b0058585c4d00f38cf3f225
1de268066bddc4603c3020da1e8868ba238adebe617a34a7ad076a536a6996b4
3efb1782a471373ee59ab78e7ee54c39427f6aa3ab3f40d71b509d5a439166d8
2066d3c19b80a23bb0852d98ba11a5539a5c0ecb148c6a8aa81d028646e92b0f
216f15601add34daf25b908b6e68d4213396e7f7e47c314355527d9eec673963
e14cbebf916fa0be576202a8c7b931a485fb0dafec28402292af1de5991a130b
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/ed654423-e823-4878-8c60-f5d85ba31fe8/
SH256 hash:
7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
MD5 hash:
04c891b9979e4852e90c8c061473058c
SHA1 hash:
ab22fb90604c58e206bc3bc0c33c0b5768db6fcf
Link:
https://www.unpac.me/results/ed654423-e823-4878-8c60-f5d85ba31fe8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7385e28efadd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/465267/

Comments