MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b
SHA3-384 hash: ac846f6bf684286773ba9e9cca387533d061d9716c9c34cc3769d78f06440ad0fa50cfd566c6252efb049277c9f9e8d3
SHA1 hash: 4c5cb7af82e2898b881476b011bab031404ee48b
MD5 hash: e889cd39da3e9f962667476c76d6bae1
humanhash: floor-wisconsin-romeo-mars
File name:CNY-Payment Receipt-XXXXX2822_HRUGL1_R1110163-020820221620071907.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'019'904 bytes
First seen:2022-08-03 20:31:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa95e98690e6e2028cb267760e931e3 (4 x DBatLoader, 1 x ModiLoader)
ssdeep 24576:4NZFLUG3u3e+CuySLJj7tGZJqz5d52Ep8rW:4jDVk70UForW
Threatray 14'489 similar samples on MalwareBazaar
TLSH T12625AF32B2D04837D072167C9C1B52E5692B7E102935A98A7BED3D8C9F3B79138293D7
TrID 45.7% (.OCX) Windows ActiveX control (116521/4/18)
16.9% (.EXE) InstallShield setup (43053/19/16)
16.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
5.1% (.SCR) Windows screen saver (13101/52/3)
File icon (PE):PE icon
dhash icon c8ccc4c4c4c4c4e4 (4 x DBatLoader, 1 x ModiLoader)
Reporter FORMALITYDE
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
329
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
CNY-Payment Receipt-XXXXX2822_HRUGL1_R1110163-020820221620071907.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 20:32:18 UTC
Tags:
installer formbook trojan stealer
Link:
https://app.any.run/tasks/c82e4907-4d1a-415f-8f53-46deb326397c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296289/
Detection(s):
SecuriteInfo.com.Artemis398D823D2B3E.1990.14044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62eadb87d40ca366615b8a59/reports/5ad37590-233c-44bf-b204-1478c646dd51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bd7d2772-43f5-4539-b9ab-83641aa1c87a
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045917
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 678411 Sample: CNY-Payment Receipt-XXXXX28... Startdate: 03/08/2022 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected DBatLoader 2->38 40 3 other signatures 2->40 7 CNY-Payment Receipt-XXXXX2822_HRUGL1_R1110163-020820221620071907.exe 1 18 2->7         started        12 Zexxwx.exe 14 2->12         started        14 Zexxwx.exe 15 2->14         started        process3 dnsIp4 32 thebaseballprophet.com 103.150.31.22, 443, 49745, 49748 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN unknown 7->32 28 C:\Users\Public\Libraries\Zexxwx.exe, PE32 7->28 dropped 30 C:\Users\...\Zexxwx.exe:Zone.Identifier, ASCII 7->30 dropped 42 Writes to foreign memory regions 7->42 44 Allocates memory in foreign processes 7->44 46 Creates a thread in another existing process (thread injection) 7->46 48 Injects a PE file into a foreign processes 7->48 16 cmd.exe 1 7->16         started        50 Multi AV Scanner detection for dropped file 12->50 18 cmd.exe 1 12->18         started        20 cmd.exe 1 14->20         started        file5 signatures6 process7 process8 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 20->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-08-03 07:28:32 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sljfnvi3na4mdj47bmeszfrmkrmh63uobb4wo3m7ryrfkv6b56nq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3c4180a41539d6bb417287a3ef07eb27b1d14b46302514c37311ade6da6cb451
DBatLoader
4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563
DBatLoader
51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a
DBatLoader
70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61
DBatLoader
773a7b6da3993d34fe9593573317031ac5ae7f66ead9d8b0366274094bbe9c5a
DBatLoader
a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7
DBatLoader
b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7
DBatLoader
d1675aae72a475f910d9f51af00f731052fc0ba7f355bfe56dd8f8dc26400cbb
DBatLoader
da66d2f930b291f3f065faa17bc87f4a68de14a6eb227b2b9f5a68d9bf6b475f
DBatLoader
+ 14'479 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/220803-za9gtagbap/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/da05e4af-0dfd-418b-85a9-1fb86fc877d9/
SH256 hash:
92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b
MD5 hash:
e889cd39da3e9f962667476c76d6bae1
SHA1 hash:
4c5cb7af82e2898b881476b011bab031404ee48b
Link:
https://www.unpac.me/results/da05e4af-0dfd-418b-85a9-1fb86fc877d9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/92d256d51b68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe 92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/296289/

Comments