MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
SHA3-384 hash: 7cbf405b10e003955068101590e4febedef5dcdb6b01eb0cff0fb55f8916b57270e8928cc7250306c4d4936cffcda1b6
SHA1 hash: 45150428755b7782ac7c9b14ce284535e5022ae0
MD5 hash: b465857ae91273991dd72307af91a130
humanhash: michigan-vegan-mango-mountain
File name:AnyDesk.pif.bin
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'123'328 bytes
First seen:2025-01-30 12:13:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e83d68c4369cae53d32d078a87dd39a3 (1 x DBatLoader)
ssdeep 24576:IGsEGUsvzTJy1eHBBikS7DRz651SmQA6WRApNX:IG/srjOFTWRApNX
Threatray 64 similar samples on MalwareBazaar
TLSH T1B8358E33A2705876D6522D344C1FF2A89C2DBE732EF8ED8167DD19589F7A480B8242D7
TrID 38.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
28.2% (.EXE) Win64 Executable (generic) (10522/11/4)
12.0% (.EXE) Win32 Executable (generic) (4504/4/1)
5.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter JAMESWT_WT
Tags:DBatLoader exe NEOFX Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0x0008000000023c13-29
Verdict:
Malicious activity
Analysis date:
2025-01-30 10:22:51 UTC
Tags:
delphi auto generic sinkhole snake keylogger evasion m0yv stealer smtp
Link:
https://app.any.run/tasks/3871d31f-50b2-4c94-b3cd-a851ee4009a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Jaik.266533.6912.30906.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b52f929ae628cf42b8b8b
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
Creating a service
Launching a service
Loading a system driver
Moving a recently created file
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Modifying an executable file
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system executable file
Connection attempt to an infection source
Sending an HTTP GET request
Reading critical registry keys
Modifying a system file
Changing a file
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Infecting executable files
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger masquerade
Link:
https://www.filescan.io/uploads/679b6d11addd15cb0b17f185/reports/641ffa89-4615-4bcb-8091-c86349755e23/overview
Verdict:
Suspicious
Labled as:
Malware_
Link:
https://www.hybrid-analysis.com/sample/9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97880700-cfbd-4889-9dcd-513eb5c3922f
Result
Threat name:
DBatLoader, MassLogger RAT, PureLog Stea
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1603012
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603012 Sample: AnyDesk.pif.bin.exe Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 68 reallyfreegeoip.org 2->68 70 zlenh.biz 2->70 72 19 other IPs or domains 2->72 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 98 18 other signatures 2->98 8 AnyDesk.pif.bin.exe 1 10 2->8         started        13 Lqsrhpvh.PIF 2->13         started        15 Lqsrhpvh.PIF 2->15         started        17 21 other processes 2->17 signatures3 96 Tries to detect the country of the analysis system (by using the IP) 68->96 process4 dnsIp5 80 drive.usercontent.google.com 142.250.184.193, 443, 50830 GOOGLEUS United States 8->80 82 drive.google.com 216.58.206.46, 443, 50828, 50829 GOOGLEUS United States 8->82 60 C:\Windows \SysWOW64\truesight.sys, PE32+ 8->60 dropped 62 C:\Windows \SysWOW6462ETUTILS.dll, PE32+ 8->62 dropped 64 C:\Users\Public\Libraries\hvphrsqL.pif, PE32 8->64 dropped 66 7 other files (6 malicious) 8->66 dropped 110 Drops PE files with a suspicious file extension 8->110 112 Writes to foreign memory regions 8->112 114 Allocates memory in foreign processes 8->114 116 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->116 19 hvphrsqL.pif 15 3 8->19         started        24 cmd.exe 3 8->24         started        26 cmd.exe 1 8->26         started        28 VSSVC.exe 8->28         started        118 Sample uses process hollowing technique 13->118 120 Sample is not signed and drops a device driver 13->120 122 Allocates many large memory junks 13->122 30 hvphrsqL.pif 13->30         started        32 cmd.exe 13->32         started        34 cmd.exe 13->34         started        36 hvphrsqL.pif 15->36         started        38 2 other processes 15->38 84 lpuegx.biz 82.112.184.197, 50865, 50985, 50999 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 17->84 86 xlfhhhm.biz 47.129.31.212, 51138, 80 ESAMARA-ASRU Canada 17->86 88 2 other IPs or domains 17->88 124 Creates files inside the volume driver (system volume information) 17->124 126 Creates files in the system32 config directory 17->126 128 Contains functionality to behave differently if execute on a Russian/Kazak computer 17->128 130 Found direct / indirect Syscall (likely to bypass EDR) 17->130 file6 signatures7 process8 dnsIp9 74 reallyfreegeoip.org 104.21.112.1, 443, 50837, 50852 CLOUDFLARENETUS United States 19->74 76 cvgrf.biz 54.244.188.177, 50831, 50835, 50846 AMAZON-02US United States 19->76 78 8 other IPs or domains 19->78 52 C:\Windows\System32\wbengine.exe, PE32+ 19->52 dropped 54 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 19->54 dropped 56 C:\Windows\System32\vds.exe, PE32+ 19->56 dropped 58 141 other malicious files 19->58 dropped 100 Detected unpacking (changes PE section rights) 19->100 102 Detected unpacking (overwrites its own PE header) 19->102 104 Tries to steal Mail credentials (via file / registry access) 19->104 108 2 other signatures 19->108 40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        106 Tries to harvest and steal browser information (history, passwords, etc) 36->106 48 conhost.exe 38->48         started        50 conhost.exe 38->50         started        file10 signatures11 process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-01-30 10:22:51 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgk7ek4itgrooyvqyp5r5dawqqivszcgbc2pzkfjmpa5sww2unsq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
expiro
Create hunting rule
Similar samples:
107f5b7d95b1d5da610d6716545e5646f0c2b60e6e26e1bd835a862c6afb3dee
DBatLoader
1273e390eab2f69aa5ed380f296a7cd6c8ff01142367fe5dd76eae5f515947e2
DBatLoader
3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
DBatLoader
5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
DBatLoader
609466fcae46344a419e4811e83b5299e2b94107bc1956bf71713764a153b1c0
DBatLoader
9a759f2ef8ee16b697f30aab51fc726f9697b338e0aba56c063860146bbfc76b
DBatLoader
b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc
DBatLoader
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
DBatLoader
ec01b76e956bceeec02a2bf5004ec837639562729f5ea4fd61f2f9f1ea0e803f
DBatLoader
ed0b66043d5223c79f2206468bd12d369d933e0db2234508702ce7402579835f
DBatLoader
error
DBatLoader
+ 54 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250130-peatyaspcl/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
404keylogger expiro
YARA:
n/a
Link:
https://app.threat.zone/submission/e5b20ae2-cd2b-48d8-8c10-94a5d500d57b
Unpacked files
SH256 hash:
9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365
MD5 hash:
b465857ae91273991dd72307af91a130
SHA1 hash:
45150428755b7782ac7c9b14ce284535e5022ae0
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/995c6b57-fae5-4ea0-b3a2-aba9d2943de0/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9195f22b8899/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9195f22b8899a2e762b0c3fb1e8c16841159644608b4fca8a963c1d95adaa365

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowA
user32.dll::OpenClipboard
user32.dll::PeekMessageA

Comments