MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad
SHA3-384 hash: 31dd8867f6c89a98ec3ee8a107dbaf246eafa83d27ead5b6aee463b1af16f8f158c6085f812b649aa34683d2cb79588a
SHA1 hash: 134b0dde0f9dfca361244080c78b5f95fc6004b0
MD5 hash: bd26661f88b0ea96cbab760644eb76bd
humanhash: mexico-rugby-utah-london
File name:deposit n.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'281'024 bytes
First seen:2023-09-25 12:26:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a0e9dc9591e2488a1f74a4ff8bdd1c55 (1 x AveMariaRAT, 1 x DBatLoader)
ssdeep 12288:dN7i6PeBQ9p1nU+Ji+/F1u1mlNHbsgyAvBvvc+X2B+d4ELSQZBLLKbIt383739Db:d5i6lnUr+fuMpNDJ2UxtkRN0D9i1
TLSH T11E559EE073620C71D4A625BDCC4BB3A40AFB3DE4691519CE82E1B90B6DB6391FD6406F
TrID 74.5% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
12.2% (.EXE) InstallShield setup (43053/19/16)
4.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.7% (.SCR) Windows screen saver (13097/50/3)
1.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 74f0f4d2d4c4d0d4 (1 x AveMariaRAT, 1 x DBatLoader)
Reporter malwarelabnet
Tags:DBatLoader exe ModiLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
deposit n.exe
Verdict:
Malicious activity
Analysis date:
2023-09-25 12:28:52 UTC
Tags:
dbatloader formbook xloader stealer
Link:
https://app.any.run/tasks/c0d532c0-a8ba-4ba2-b95f-0eef3d5b7f22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451076/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.30340.15001.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay replace zusy
Link:
https://www.filescan.io/uploads/65117c9632ffdb7a7a136bc3/reports/36cc1216-4c9d-4046-b383-af0a926e0a31/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34bfdcf9-c13a-4c47-a435-782966006a06
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1313875
Signature
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1313875 Sample: deposit_n.exe Startdate: 25/09/2023 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 9 deposit_n.exe 1 2 2->9         started        14 Kvdxmylt.PIF 2->14         started        16 Kvdxmylt.PIF 2->16         started        process3 dnsIp4 36 web.fe.1drv.com 9->36 38 u0wrfw.ph.files.1drv.com 9->38 44 2 other IPs or domains 9->44 34 C:\Users\Public\Libraries\Kvdxmylt.PIF, PE32 9->34 dropped 62 Drops PE files with a suspicious file extension 9->62 64 Writes to foreign memory regions 9->64 66 Allocates memory in foreign processes 9->66 68 Allocates many large memory junks 9->68 18 colorcpl.exe 2 9->18         started        40 web.fe.1drv.com 14->40 46 3 other IPs or domains 14->46 70 Multi AV Scanner detection for dropped file 14->70 72 Injects a PE file into a foreign processes 14->72 21 colorcpl.exe 14->21         started        42 web.fe.1drv.com 16->42 48 3 other IPs or domains 16->48 23 colorcpl.exe 16->23         started        file5 signatures6 process7 signatures8 58 Maps a DLL or memory area into another process 18->58 60 Queues an APC in another process (thread injection) 18->60 25 cBPudCseYWJHxSQy.exe 18->25 injected process9 process10 27 svchost.exe 25->27         started        signatures11 74 Maps a DLL or memory area into another process 27->74 30 cBPudCseYWJHxSQy.exe 27->30 injected 32 explorer.exe 27->32 injected process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-23 08:13:26 UTC
File Type:
PE (Exe)
Extracted files:
106
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvblv4jjnhze4p3i4u5ri22pasob65zds3bonda2dc7xlytjskwq._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence spyware stealer trojan
Link:
https://tria.ge/reports/230925-pmrgnaeg7y/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
cba4816de6e72d867e32efff1a2aec17fb05f32f522321696510e9ea7bfbf807
MD5 hash:
f63cb8a6dacfbd4f51c03ace6e0909fa
SHA1 hash:
d908d6f2785e4f8a3077a9a62b92fd54a4ebf46e
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/c67fa6ba-27e3-45e6-a939-1c5b147a091e/
Parent samples :
ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458
a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4
3f91df1694752e2393e88e98c63348a310db58b7665d6e9d2ec7b2e84344aeda
131a53178cbae4b360182b1b2913374dad6fb40423c1ce528874a720c053ec7d
95c4b78aa2574cc094f0ab1ca7fac7b2adef8123aab82680c1a88df43f5a282e
7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/c67fa6ba-27e3-45e6-a939-1c5b147a091e/
SH256 hash:
7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad
MD5 hash:
bd26661f88b0ea96cbab760644eb76bd
SHA1 hash:
134b0dde0f9dfca361244080c78b5f95fc6004b0
Link:
https://www.unpac.me/results/c67fa6ba-27e3-45e6-a939-1c5b147a091e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7d42baf12969/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/451076/

Comments