MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
SHA3-384 hash: c20f0f85d813ed426e781aace34e526230cf36e025098a2e1a10519d061dd0ff8eaaa459701d1c6ae5e2ca3fc7db9ee7
SHA1 hash: 51af9ad52cde4bb1f6530a3749156e3cfb9c02ae
MD5 hash: 0130d4e45a1234b1f577ed02de66b53c
humanhash: echo-bakerloo-yellow-hydrogen
File name:Quotation.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'624'576 bytes
First seen:2025-10-16 08:22:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4796c58eedaa7386f0fbea35b26f8290 (4 x a310Logger, 2 x DBatLoader, 2 x RemcosRAT)
ssdeep 24576:J4aAGEc6iG+Vr4cQwheInXzYQAh+F4cGcy6vwEfi5EkkPGlib8iRns:mdL0zXA6/Gcy/Ekra8gns
Threatray 1'119 similar samples on MalwareBazaar
TLSH T16475E021E3C2443AD322157DDC2BD7C658197A612F18BA6E76DDDB583FFE2C22C26052
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter threatcat_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2025-10-16 08:27:23 UTC
Tags:
delphi remcos rat auto-sch
Link:
https://app.any.run/tasks/2a7119a2-b710-4447-b784-66239451c18c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33037/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f0ab8b0cffb32442984774
Tags:
autorun delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Connection attempt to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Sending an HTTP GET request
Launching a service
Moving of the original file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Forced shutdown of a system process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug borland_delphi explorer fingerprint keylogger lolbin overlay packed zero
Link:
https://www.filescan.io/uploads/68f0ab96cd7e15f338cad4ab/reports/3428beb3-eb06-4038-b4d0-4230f615bff1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-16T04:20:00Z UTC
Last seen:
2025-10-18T05:36:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Greedy.sb Trojan-Dropper.Win32.Injector.qcik HEUR:Trojan.Win32.DelfInject.gen Trojan-Dropper.Win32.Injector Trojan.Win64.Agentb.sb Trojan.Win32.Inject.sb not-a-virus:HEUR:PSWTool.Win32.PassView.c not-a-virus:HEUR:PSWTool.Win32.PassView.b not-a-virus:HEUR:PSWTool.Win32.PassView.a
Link:
https://opentip.kaspersky.com/915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4df5cac3-4b9b-436a-b36e-4615b8473e77
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796366
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to determine the online IP of the system
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Remcos
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796366 Sample: Quotation.exe Startdate: 16/10/2025 Architecture: WINDOWS Score: 100 44 chukwunweikefrankokiteamaekeibeku.ydns.eu 2->44 46 bg.microsoft.map.fastly.net 2->46 48 2 other IPs or domains 2->48 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 14 other signatures 2->78 8 Quotation.exe 3 2->8         started        12 rundll32.exe 3 2->12         started        signatures3 process4 file5 36 C:\Users\Public\edskpewmY.exe, PE32 8->36 dropped 90 Drops PE files to the user root directory 8->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 8->92 94 Writes to foreign memory regions 8->94 96 4 other signatures 8->96 14 edskpewmY.exe 4 16 8->14         started        19 schtasks.exe 1 8->19         started        21 Ymwepksde.exe 12->21         started        signatures6 process7 dnsIp8 50 chukwunweikefrankokiteamaekeibeku.ydns.eu 80.76.49.78, 2558, 49687, 49688 CLOUDCOMPUTINGDE Bulgaria 14->50 52 api.findip.net 172.67.214.3, 443, 49692 CLOUDFLARENETUS United States 14->52 54 api.ipify.org 172.67.74.152, 443, 49689 CLOUDFLARENETUS United States 14->54 38 C:\Users\user\AppData\Local\Temp\THB2F5.tmp, MS-DOS 14->38 dropped 40 C:\Users\user\AppData\Local\Temp\THB2A5.tmp, MS-DOS 14->40 dropped 42 C:\Users\user\AppData\Local\Temp\THB247.tmp, PE32 14->42 dropped 56 Contains functionality to bypass UAC (CMSTPLUA) 14->56 58 Detected unpacking (changes PE section rights) 14->58 60 Detected Remcos RAT 14->60 70 9 other signatures 14->70 23 RmClient.exe 1 14->23         started        26 RmClient.exe 1 14->26         started        28 RmClient.exe 2 14->28         started        34 4 other processes 14->34 30 conhost.exe 19->30         started        62 Writes to foreign memory regions 21->62 64 Allocates memory in foreign processes 21->64 66 Sample uses process hollowing technique 21->66 68 Allocates many large memory junks 21->68 32 edskpewmY.exe 21->32         started        file9 signatures10 process11 signatures12 80 Tries to steal Instant Messenger accounts or passwords 23->80 82 Tries to steal Mail credentials (via file / registry access) 23->82 84 Tries to harvest and steal browser information (history, passwords, etc) 26->84 86 Detected Remcos RAT 32->86 88 Tries to steal Mail credentials (via file registry) 34->88
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0130d4e45a1234b1f577ed02de66b53c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 07:51:28 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sfn3346pi4vr5m6ofzfdqwjbjbt43ccytg34e26bgvqxbhqsfeqa._file
Verdict:
malicious
Label(s):
nirsoft
Create hunting rule
remcos
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
180ff754e1650b8dbc392f425b79021d1a8b09fdaf60897c6d3e5ddaef146370
DBatLoader
32854f6bd0f40b5de1e8ed8e456508d1db5a9b44293f3f20420f1e1919e794ec
DBatLoader
47dbb57be5618b8002a22685fd9d6e8dd3955232b783be156e7365eecaad08fb
DBatLoader
5756bb7dd6781086bfa7c5af6786f9792c895f29900f37eb92284ab38224c8f8
DBatLoader
7dd988ed0f432c6279698bcf0dc7500ab0153fe77378f06e718a2a3b1534c5d7
DBatLoader
8c548a602595e9ef03eeab8257d07581a7a6824e40a121f22d6a1d780621936b
DBatLoader
915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
DBatLoader
b5d0552aa20ae4bec3f41829abfb9e3b797512bcc9cdb9e6454b63f6a6727cea
DBatLoader
b6e3aeb15652420e1cb2168e8bed1e51b0bd5cb72e484fbb1aed6354d6ee3ee2
DBatLoader
d2ed08a124a2e2da4446c03d4487083a7078d901dff790c2ae0a8e61005a1eaf
DBatLoader
error
DBatLoader
+ 1'109 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery execution persistence trojan
Link:
https://tria.ge/reports/251016-kae6mswwdv/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Executes dropped EXE
Detected Nirsoft tools
ModiLoader Second Stage
NirSoft MailPassView
ModiLoader, DBatLoader
Modiloader family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/979ae997-8160-41af-af96-1223af13f944
Unpacked files
SH256 hash:
915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920
MD5 hash:
0130d4e45a1234b1f577ed02de66b53c
SHA1 hash:
51af9ad52cde4bb1f6530a3749156e3cfb9c02ae
Link:
https://www.unpac.me/results/7c441af2-c5c3-42fd-8bc5-c04a897e5b4d/
Malware family:
WebBrowserPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/915bbdf3cf47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 915bbdf3cf472b1eb3ce2e4a3859214867cd885899b7c26bc13561709e122920

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33037/

Comments