MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
SHA3-384 hash: 62c264dd59bd744b373f2c099168cd5d29fa2a91be1b5eff946ef22e02e7f73420c11b60ae9c72d280f2ec775af75ae7
SHA1 hash: 0b82e4619f8059c1331c844d136833d33a8b3198
MD5 hash: 0d4b24b79ce922f635ca1b6633dcb22f
humanhash: quiet-connecticut-diet-neptune
File name:79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'799'168 bytes
First seen:2025-09-05 12:47:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 69ce8a30515c4439d14c13f18ee57b69 (1 x RemcosRAT, 1 x DBatLoader)
ssdeep 24576:Le76NM+GFOcHpIg9IOX6CF/5mnQr7MLOGxmy4qYZsxmy4qYZsxmy4qYZk:LYF9HF9hmQfWOSN4qYCN4qYCN4qY
Threatray 13 similar samples on MalwareBazaar
TLSH T13D85D066B3A18076C5A75AF8AC2BA795293ABF202F1465473BFC3D0C5F713417836293
TrID 64.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.9% (.EXE) Win32 Executable (generic) (4504/4/1)
3.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter adrian__luca
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8.exe
Verdict:
Suspicious activity
Analysis date:
2025-09-05 13:29:11 UTC
Tags:
delphi auto-sch
Link:
https://app.any.run/tasks/f5dfcf81-c337-470f-8b93-9d3329f0c97f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25448/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68badc2f3e988eb6ab83c4d7
Tags:
autorun remcos emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Searching for synchronization primitives
Moving of the original file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context bladabindi borland_delphi fingerprint keylogger modiloader obfuscated packed packed packer_detected zusy
Link:
https://www.filescan.io/uploads/68bae573fe1969faa8a6c5af/reports/80e28bef-3f9b-494f-a5ec-8d6d45ee15ec/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-18T01:01:00Z UTC
Last seen:
2025-08-18T01:01:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Spy.Win32.Noon.gen Backdoor.MSIL.Bladabindi.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.KeyLogger.gen HEUR:Trojan.MSIL.Crypt.gen Backdoor.Bladabindi.TCP.C&C Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d37a6e4-d51f-405f-9d3b-2e85d3907ba7
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8/
Verdict:
Malicious
Threat:
Family.MODILOADER
Link:
https://tip.neiki.dev/file/79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
Threat name:
Win32.Backdoor.njRAT
Create hunting rule
Status:
Malicious
First seen:
2025-08-18 06:21:22 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgwtxbwctsvsxhr62cdin3jcsocx6ykftzikpbdrurpucynmo3ua._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
unc_loader_001
Create hunting rule
Similar samples:
066ae9155891b102aaec4c4b2731fd9cc434f58b8687dd71d58728bc0c9d78ce
DBatLoader
2893a3dcecdfac2cbb92136bd92e94d32464cff84a4dbd44d71f559ed58ccc3d
DBatLoader
79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
DBatLoader
94d359b58ad8043b411eb3b9ca8f983a1f4eb3f732a92e8a8c92c5432499d907
DBatLoader
bb4bb43da97cf6ce8953d1000f9f292c38f13492e6f959f7a8e1c24919d102b0
DBatLoader
c1243c763c8e20be71f380e5366060a73c4a80711d0d0018d4020b6051563101
DBatLoader
e40a3b1220ad434fffbdb98afab28e95396cdee6cc330b88ad9d76587a7d4fdf
DBatLoader
error
DBatLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution persistence trojan
Link:
https://tria.ge/reports/250905-qpcxqazxhw/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops desktop.ini file(s)
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ac5358e-b200-471a-a1f1-7e621ce2e179
Unpacked files
SH256 hash:
79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
MD5 hash:
0d4b24b79ce922f635ca1b6633dcb22f
SHA1 hash:
0b82e4619f8059c1331c844d136833d33a8b3198
Link:
https://www.unpac.me/results/50f014ba-777c-4d10-98c0-f3b4bf11cfe7/
SH256 hash:
61dc3e9364455a9091c442768b926bd995a6e765b869b617bd1ed1899a4e7c13
MD5 hash:
ae7e8ac6ed4bea9bb12b12536cbb4165
SHA1 hash:
1c5f31c4cac1fa2e87f40c801ed3748e21b21d93
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/50f014ba-777c-4d10-98c0-f3b4bf11cfe7/
Parent samples :
8d5babfd92134527dac0f95fcf666b91681cb5b7536769e4ef647d9e042809a9
90b127b083dfdcb086340fc93b24ad2407161a61e00b68e80c20db4f0b6fea42
79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8
SH256 hash:
1c3f57359d299226704427206f9b277a10568af3cd9ec45efa842eba28830df9
MD5 hash:
e5c8369d33e16c026f70f0c64d301e4f
SHA1 hash:
ae9903a64ce0165f7b10d16e97f9b539280a169f
Link:
https://www.unpac.me/results/50f014ba-777c-4d10-98c0-f3b4bf11cfe7/
SH256 hash:
61734f71587f44c40ef720b371bb7ad5a1321d216016282df5beae16c5cd74f6
MD5 hash:
7dbc3add7eab85cda3d2e0116a8297db
SHA1 hash:
ca79f3982f1e34aa41cb7e6e15d3ff97932f49ac
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/50f014ba-777c-4d10-98c0-f3b4bf11cfe7/
SH256 hash:
2f5ea3f325bc5f12ca62ff7b2134fdbca68c761a709cc975bcb296311bb1ef59
MD5 hash:
61a86f351ba0e98a5a9544a084566091
SHA1 hash:
d4fde62c330e1c17e7a39164b1b4836955a418c1
Link:
https://www.unpac.me/results/50f014ba-777c-4d10-98c0-f3b4bf11cfe7/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/79ad3b86c29c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79ad3b86c29cab2b9e3ed08686ed2293857f61459e50a78471a45f4161ac76e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25448/

Comments