MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122
SHA3-384 hash: da9a457b9efed62fa020508e649eaf8de5036b4dde4b768ce516c02a52efae3bf2557a4e32ac1c4f040e3579722b89af
SHA1 hash: b5dc04d2ddf645888327ddea7093afce9e8d9292
MD5 hash: 363a982ff2a7239d8a6b4317883b5b83
humanhash: river-kilo-comet-september
File name:cnmpaui.dll
Download: download sample
Signature DBatLoader
Create hunting rule
File size:710'656 bytes
First seen:2025-10-06 10:02:26 UTC
Last seen:2025-10-09 11:45:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 86cfc4cda6a4130f1c9e0fa424c8693b (1 x DBatLoader)
ssdeep 12288:N/WmFu4MJlqAOY5SAGEKoam5dYAO6oHI7PS4XxMEbgB:R3cflqA/5SIdaQlgHI7PS4X3
TLSH T1DBE47E61F6904636D1337A355C0BA3A9A818BA303978FC5737D52E888EFB781381ED57
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter cocaman
Tags:DBatLoader dll INVOICE

Intelligence

File Origin
# of uploads :
127
# of downloads :
78
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30767/
Detection(s):
Win.Trojan.Modiloader-10042434-0
Create hunting rule

Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68deba62b54520161ad47dd4
Tags:
injection obfusc crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger obfuscated
Link:
https://www.filescan.io/uploads/68e393d9d4a0085473c16508/reports/2e0f2c1c-25d2-4967-b7fb-160d47f4ce13/overview
Verdict:
Malicious
Labled as:
TrojanDownloader.ModiLoader
Link:
https://www.hybrid-analysis.com/sample/7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122
Verdict:
Malicious
File Type:
dll x32
First seen:
2025-10-06T07:05:00Z UTC
Last seen:
2025-10-08T06:07:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c9f1a73-70c5-4c28-bd72-53311e279cda
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1789633
Signature
Allocates many large memory junks
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1789633 Sample: cnmpaui.dll Startdate: 06/10/2025 Architecture: WINDOWS Score: 68 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected DBatLoader 2->25 27 Joe Sandbox ML detected suspicious sample 2->27 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        16 27 other processes 7->16 signatures5 31 Allocates many large memory junks 9->31 33 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->33 18 WerFault.exe 9->18         started        20 rundll32.exe 12->20         started        process6 signatures7 29 Allocates many large memory junks 20->29
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/363a982ff2a7239d8a6b4317883b5b83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-06 10:02:31 UTC
File Type:
PE (Dll)
Extracted files:
37
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=px6ohidsb5buklfwomfz7ynejfvfvuv7jldoihrxwswqusm7cera._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
error
DBatLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/251006-l3amashp41/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Unpacked files
SH256 hash:
7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122
MD5 hash:
363a982ff2a7239d8a6b4317883b5b83
SHA1 hash:
b5dc04d2ddf645888327ddea7093afce9e8d9292
Link:
https://www.unpac.me/results/6e412cdb-a758-4632-891f-a8bffa349847/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

xz 9f702282e8b9c1edbfa3ae5b559ec40e03f0a35a897a592fb7660df5af9a2779

DBatLoader

DLL dll 7dfce3a0720f43452cb6730b9fe1a4496a5ad2bf4ac6e41e37b4ad0a499f1122

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9f702282e8b9c1edbfa3ae5b559ec40e03f0a35a897a592fb7660df5af9a2779
  
Dropped by
MD5 bfd946f6b0030e55a7bfaa36185b8439
Cape
Cape
https://www.capesandbox.com/analysis/30767/

Comments