MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 773a7b6da3993d34fe9593573317031ac5ae7f66ead9d8b0366274094bbe9c5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 773a7b6da3993d34fe9593573317031ac5ae7f66ead9d8b0366274094bbe9c5a
SHA3-384 hash: 486ff8e1433c006263351c93bf0399382ba3f6dc724a038784fdd580c105f48e188259e11a152aab1e826f007b1981e6
SHA1 hash: 36ecddf9dac8b14220b3669c5061c9e747cf798c
MD5 hash: 3bebbabe7d62c8cac4f81ad6075a1b98
humanhash: item-montana-cold-bravo
File name:Purchase-Order737883874.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'019'904 bytes
First seen:2022-08-03 08:33:35 UTC
Last seen:2022-08-03 11:03:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa95e98690e6e2028cb267760e931e3 (4 x DBatLoader, 1 x ModiLoader)
ssdeep 24576:4NZFLUG3u3e+CuySLJj7tGZJqz5d52Ep8rl:4jDVk70UForl
TLSH T192259D36B2904433D07216789D4B57E8982BBE112E78798B6BEC3D8C5F3B7913925393
TrID 45.7% (.OCX) Windows ActiveX control (116521/4/18)
16.9% (.EXE) InstallShield setup (43053/19/16)
16.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
5.1% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon c8ccc4c4c4c4c4e4 (4 x DBatLoader, 1 x ModiLoader)
Reporter GovCERT_CH
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Purchase-Order737883874.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 08:34:42 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/6d06a9ab-c107-48ad-a0b9-65df351bb763

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296127/
Detection(s):
SecuriteInfo.com.Artemis398D823D2B3E.1990.14044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62ea3374d40ca366615acb47/reports/79834dcb-907c-4f9b-9b94-d24b6a5855dd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10eda8c9-c226-49ec-8b20-d81944700c97
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045484
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 677978 Sample: Purchase-Order737883874.exe Startdate: 03/08/2022 Architecture: WINDOWS Score: 100 54 www.suntivegas.com 2->54 72 Snort IDS alert for network traffic 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 7 other signatures 2->78 12 Purchase-Order737883874.exe 1 22 2->12         started        signatures3 process4 dnsIp5 60 ckrismaller.ydns.eu 208.67.105.81, 49689, 49690, 49691 GRAYSON-COLLIN-COMMUNICATIONSUS United States 12->60 50 C:\Users\Public\Libraries\Xjdemx.exe, PE32 12->50 dropped 52 C:\Users\Public\Libraries\XjdemxO.bat, ASCII 12->52 dropped 90 Writes to foreign memory regions 12->90 92 Allocates memory in foreign processes 12->92 94 Creates a thread in another existing process (thread injection) 12->94 96 Injects a PE file into a foreign processes 12->96 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        file6 signatures7 process8 process9 21 cmd.exe 1 17->21         started        24 conhost.exe 17->24         started        26 conhost.exe 19->26         started        signatures10 80 Modifies the context of a thread in another process (thread injection) 21->80 82 Maps a DLL or memory area into another process 21->82 84 Sample uses process hollowing technique 21->84 86 Queues an APC in another process (thread injection) 21->86 28 explorer.exe 2 21->28 injected 32 conhost.exe 21->32         started        process11 dnsIp12 62 www.guanglee.net 38.35.100.206, 49699, 80 COGENT-174US United States 28->62 64 www.trustbutverify.pro 28->64 66 trustbutverify.pro 34.102.136.180, 49698, 80 GOOGLEUS United States 28->66 88 System process connects to network (likely due to code injection or exploit) 28->88 34 wlanext.exe 28->34         started        37 Xjdemx.exe 14 28->37         started        40 Xjdemx.exe 15 28->40         started        signatures13 process14 dnsIp15 68 Modifies the context of a thread in another process (thread injection) 34->68 70 Maps a DLL or memory area into another process 34->70 56 ckrismaller.ydns.eu 37->56 42 cmd.exe 1 37->42         started        58 ckrismaller.ydns.eu 40->58 44 cmd.exe 1 40->44         started        signatures16 process17 process18 46 conhost.exe 42->46         started        48 conhost.exe 44->48         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/773a7b6da3993d34fe9593573317031ac5ae7f66ead9d8b0366274094bbe9c5a/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-03 08:34:09 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o45hw3ndte6tj7uvsnltgfyddlc2473g5lm5rmbwmj2ass56trna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/220803-kge48ahbe3/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/3c1dece6-7102-4d42-ad50-610583b2b8c1/
SH256 hash:
773a7b6da3993d34fe9593573317031ac5ae7f66ead9d8b0366274094bbe9c5a
MD5 hash:
3bebbabe7d62c8cac4f81ad6075a1b98
SHA1 hash:
36ecddf9dac8b14220b3669c5061c9e747cf798c
Link:
https://www.unpac.me/results/3c1dece6-7102-4d42-ad50-610583b2b8c1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/773a7b6da399/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/773a7b6da3993d34fe9593573317031ac5ae7f66ead9d8b0366274094bbe9c5a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

img cde000f35181379ff1cf4929cbd6b48318c5510236d3dc79b0f0bd66955f7ebd

DBatLoader

Executable exe 773a7b6da3993d34fe9593573317031ac5ae7f66ead9d8b0366274094bbe9c5a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/296127/
  
Dropped by
SHA256 cde000f35181379ff1cf4929cbd6b48318c5510236d3dc79b0f0bd66955f7ebd
  
Dropped by
MD5 30638d1c32abe8b252266f72e3e4fce7

Comments