MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a76e0669c5780129892f53dca7f012cfdc90222a5fc2523b10531fd82540aca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a76e0669c5780129892f53dca7f012cfdc90222a5fc2523b10531fd82540aca
SHA3-384 hash: 2d8cf6bc766d81bfb77422bf1bfc4f6ab4a7173d99a84e723e4a0a2dfe97c9f8433322f00a04ee7b3e10b8ee5d99f762
SHA1 hash: 7807ab084f6dd461d2a65aa610d367fc4a82411b
MD5 hash: 652c09d8bb43ea2550c2a79d2cf8f9b6
humanhash: stairway-harry-football-jupiter
File name:DHL Shipment on Hold Notice Attached 07-FEB-2022.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'018'880 bytes
First seen:2022-02-07 08:04:04 UTC
Last seen:2022-02-07 09:54:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8291d27d1843f891720ab7e926d8c23 (3 x DBatLoader, 2 x Loki, 2 x Formbook)
ssdeep 12288:9Yt08SVogpiVHy+BiVzo3u1ioALA/zlFPnukXlvMdZx908V7bHNlplJ/:2trSRiVHy+BOAgsA/zbnLkzj7zNlpr/
Threatray 3'959 similar samples on MalwareBazaar
TLSH T155258CA2E380193EC11315748D1BE665991A7E703E2CEAC67FE47D0C2E39345B926ED3
File icon (PE):PE icon
dhash icon eef2f3969292d42a (18 x Formbook, 4 x Loki, 2 x DBatLoader)
Reporter abuse_ch
Tags:DBatLoader DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/234106/
Detection(s):
SecuriteInfo.com.Artemis652C09D8BB43.1936.6299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Reading critical registry keys
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6194/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/6200d281fdec0968c37dcef7/reports/c7a98fcc-cd67-47a3-90a7-713abbd13325/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4dda2d5e-29ae-4863-a3ec-7caa65a907a9
Result
Threat name:
DBatLoader Oski Stealer Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/934980
Signature
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected DBatLoader
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567462 Sample: DHL Shipment on Hold Notice... Startdate: 07/02/2022 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->64 66 8 other signatures 2->66 8 DHL Shipment on Hold Notice Attached 07-FEB-2022.exe 1 18 2->8         started        13 Inzwbkgu.exe 15 2->13         started        15 Inzwbkgu.exe 13 2->15         started        process3 dnsIp4 58 testscript.online 3.99.68.111, 443, 49769, 49775 AMAZON-02US United States 8->58 52 C:\Users\user\Inzwbkgu.exe, PE32 8->52 dropped 54 C:\Users\user\Inzwbkgu.exe:Zone.Identifier, ASCII 8->54 dropped 72 Injects a PE file into a foreign processes 8->72 17 DHL Shipment on Hold Notice Attached 07-FEB-2022.exe 196 8->17         started        22 Inzwbkgu.exe 13->22         started        24 Inzwbkgu.exe 196 15->24         started        file5 signatures6 process7 dnsIp8 56 t-shinwa-jp.com 172.67.169.249, 49797, 49808, 49814 CLOUDFLARENETUS United States 17->56 44 C:\ProgramData\vcruntime140.dll, PE32 17->44 dropped 46 C:\ProgramData\sqlite3.dll, PE32 17->46 dropped 48 C:\ProgramData\softokn3.dll, PE32 17->48 dropped 50 4 other files (none is malicious) 17->50 dropped 26 cmd.exe 1 17->26         started        68 Tries to harvest and steal browser information (history, passwords, etc) 22->68 70 Tries to steal Crypto Currency Wallets 22->70 28 cmd.exe 22->28         started        30 cmd.exe 24->30         started        file9 signatures10 process11 process12 32 taskkill.exe 1 26->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 taskkill.exe 28->38         started        40 conhost.exe 30->40         started        42 taskkill.exe 30->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a76e0669c5780129892f53dca7f012cfdc90222a5fc2523b10531fd82540aca/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 08:04:20 UTC
File Type:
PE (Exe)
Extracted files:
121
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pj3oazu4k6abfges6u64u7ybft64sarcux6cki5rauy73asublfa._file
Verdict:
malicious
Similar samples:
0ef2423530764d0f9a745e60c251176c903929d958ce3ff1c22a6867c97bbc13
DBatLoader
192f884438809d6fb01ae0c89c4ccd1fdae62d429e78bdbcc4ff4d28a54049af
DBatLoader
66a1b49f893976a60ca25813345ea54a5582acf7a5a0821c03cc45bcfc89b5c5
DBatLoader
6b869d8825516d0b977d48043d1d56d233de7b128074b068566dc33e0ff9fdb7
DBatLoader
b70f4075c4ce52960faacb101aac17a9cd734cbec86b6a9d63944e900420bde1
DBatLoader
f7a423c9fd6cf87566b34d2dab352a81821ba3737864cc1abec2593429965300
DBatLoader
fb142a5509971d78923e077c658479a60287c1e6d921adfc75f3a426b5ffab7b
DBatLoader
+ 3'949 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220207-jybbxshfg9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
7a76e0669c5780129892f53dca7f012cfdc90222a5fc2523b10531fd82540aca
MD5 hash:
652c09d8bb43ea2550c2a79d2cf8f9b6
SHA1 hash:
7807ab084f6dd461d2a65aa610d367fc4a82411b
Link:
https://www.unpac.me/results/0c16dff1-bf2b-4664-8013-f384cad05819/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7a76e0669c57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/234106/

Comments