MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30
SHA3-384 hash:	2a439eae8d1ffb54a13b7eeb8e5b72e986527908893db16d41a2d9ce50f869e4764223765021d407f50b6db6f1fb188a
SHA1 hash:	cdc7e614ecae8e0dbbd64a33aafd4937580017cd
MD5 hash:	ac144446a303aaca682e1d6654aa7150
humanhash:	tennessee-uranus-oklahoma-two
File name:	81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'106'944 bytes
First seen:	2022-09-07 07:50:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5dc555aba1bcf8cc83a1840dd1f96bfd (6 x DBatLoader, 2 x RemcosRAT)
ssdeep	24576:o6JOY7Bt7MeZCRzqwYGrX9KWIvf4nSzl:o2vFGJK5WSz
Threatray	530 similar samples on MalwareBazaar
TLSH	T1FB358D33B2A3DC37C176557BDF06A2689C697E007A7CA8852BF46F9C1F70A507919283
TrID	28.5% (.SCR) Windows screen saver (13101/52/3) 22.9% (.EXE) Win64 Executable (generic) (10523/12/4) 14.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 9.8% (.EXE) Win32 Executable (generic) (4505/5/1) 6.5% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter	adrian__luca
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30

Verdict:

Suspicious activity

Analysis date:

2022-09-07 07:50:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ea746128-02f3-4828-b5ae-1bdbdd10f4d9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/308366/

Detection(s):

SecuriteInfo.com.generic.ml.28883.3843.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/36888/overview

Behaviour

MalwareBazaar

CheckScreenResolution

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/63184da51b1b551d04c245f2/reports/58ed947b-ccef-4d4a-b16b-5b77b315d975/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b07d46e-4b6b-401f-a2ac-d8708387aaef

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.expl

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1066171

Signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected UAC Bypass using ComputerDefaults

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-08-09 09:47:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qg4wt6gcvhhno4d2xtuwgogjewmv3i3w5fuec4tzqlczgyxq5mya._file

Verdict:

malicious

DBatLoader

58bbb797b31decdd5f9d260a27fc96728c8151753b7533263f692c9ea8f0c349

DBatLoader

6b8b620534b94530ba467af917e0365640b83b1edd8a39eaa00ebf441e2e34c0

DBatLoader

7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0

DBatLoader

8043ea1eec1337542f54a3da01248f048588f43c2f5a434d425775dbb3ddd6b3

DBatLoader

925e3fe8b8f4fa60dcfc261154c3fc8a6d296efcdb83ab1a18e710fa150090f1

DBatLoader

9e58ee070798a5d3826b827e575d87746ffc1c10c1d07240263b35cf95a9f449

DBatLoader

a1ab4430d2f436338e690327acc1869f2d0717d63093281337c33c6b99c602f9

DBatLoader

d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb

DBatLoader

+ 520 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220907-jptrxagfak/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

6e4aba5f91f4d01295db6a25820bccf96e982c11dc19eac820ec094e8bc5b5b2

MD5 hash:

32cd4b21204a9e867088e41a0be8f6aa

SHA1 hash:

21f622535ca5ed8c0670382c420d380ba4a41799

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/7a2248bb-f5b0-48fc-a62f-083d08062f02/

Parent samples :

925e3fe8b8f4fa60dcfc261154c3fc8a6d296efcdb83ab1a18e710fa150090f1
7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0
8043ea1eec1337542f54a3da01248f048588f43c2f5a434d425775dbb3ddd6b3
6b8b620534b94530ba467af917e0365640b83b1edd8a39eaa00ebf441e2e34c0
d09e0e3cdb3fa52dcea7852176dc97aac0741e85b22bd088fd0bf0633e3f3bbb
0454c0078d232502c16596fb561e698d11c2d68c1905d68a9578385a6a116a00
bc061c3fc38da5c64b98ca941334021a3588891eed56ba0458f5f3ca6b364081
c7046054dfa14ba59f91b14d7039a7d4bff88e62cb0b9bfaf6b3eb247662d5ce
9e58ee070798a5d3826b827e575d87746ffc1c10c1d07240263b35cf95a9f449
8b7641fa594fce9205916ac35de0c043177580e9469770f5e39adf0a72b858c4
da94505a95c11c751468743c7eb6cef882f99c6c5ad4ca0b24b4c3e36d0ea11c
e0b0ea6e18a229592ade98b150d52359b60a7169fc60952e4b5e098ce83a563a
ccf73ee5de39b84ab80990fc250259b3262abe80c2ed84c4284f78d05b0f5e4e
6a147da6ac0eec13aeaf08e385f27f58132562980c1ff628f4a4dc98ed70e202
efe38e24a3e9e5e0b6728cd3c25e36b51dee90ec0587b908a03335cf0f6757cb
3752b7276189f276a42e2ee99480c513f8a57554991644a98c7460671ec9d3c8
c830a445d79d79573e7da5f3a94fe72aa74d07fbcbb84d759915461202be06d8
bb51ea0bd2ae770fb729c3e84f1dd896e65312768893412fec620847a98cd8b5
a1ab4430d2f436338e690327acc1869f2d0717d63093281337c33c6b99c602f9
0c32394238d4d1a1865110e6f226475422a241176c28f909f114204bf9af9a92
3366a4efc3ab34464c6372c24a2d10c4919cab1d75223f4d7ab9d03299f68ed7
58bbb797b31decdd5f9d260a27fc96728c8151753b7533263f692c9ea8f0c349
4637f2930df07d5ed81ccc672ca39782c5ec2d8e77e9aba269128986a2fda5ea
81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30

SH256 hash:

81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30

MD5 hash:

ac144446a303aaca682e1d6654aa7150

SHA1 hash:

cdc7e614ecae8e0dbbd64a33aafd4937580017cd

Link:

https://www.unpac.me/results/7a2248bb-f5b0-48fc-a62f-083d08062f02/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/81b969f8c2a9ced7707abce96338c925995da376e96841727982c59362f0eb30

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/308366/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample