MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b
SHA3-384 hash: 09e90d8c0e1ec0ab605f14237741920d107d74186f96bd34af5f755052d90f8a6623862d4ef66915430a687c1f868707
SHA1 hash: 1b12238410d619f0797042ca0777d7c05b08f410
MD5 hash: f7d9ffe252e26320f26a76fc3f239c50
humanhash: rugby-leopard-moon-yellow
File name:PO_B2W984.com
Download: download sample
Signature DBatLoader
Create hunting rule
File size:2'145'792 bytes
First seen:2025-01-03 19:36:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1249b2dc81238026e760db6b73b768c (1 x VIPKeylogger, 1 x DBatLoader)
ssdeep 49152:EdqswGco/j1HEFW1bB9HI8QrwiycY5vtxq5GtGco/j1HEFW1bB9HI8QrwiycY5vF:E8swjWdb1jWdbJ
TLSH T18FA5D033E960D578ECBA37FC5C1752D8D44D3E752EDAF47D21DAAA841721B223868283
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon fcfcfefffefeffff (1 x VIPKeylogger, 1 x DBatLoader)
Reporter abuse_ch
Tags:com DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
457
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_B2W984.com
Verdict:
Malicious activity
Analysis date:
2025-01-03 01:42:38 UTC
Tags:
evasion snake keylogger stealer crypto-regex
Link:
https://app.any.run/tasks/f1a50579-c43b-4c03-b0de-90a85277e6ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67783d571ada70779825f5c6
Tags:
delphi emotet
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger masquerade packed packed packer_detected
Link:
https://www.filescan.io/uploads/67783c60ddbd8eb878d8ea78/reports/8ee5f652-61c6-45c0-a6b0-0aa696544a79/overview
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a53ad24-70cb-450d-93dd-6e6db20313db
Result
Threat name:
DBatLoader, MassLogger RAT, PureLog Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1583547
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops large PE files
Drops PE files with a suspicious file extension
Found malware configuration
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Submitted file has a suspicious file extension
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583547 Sample: PO_B2W984.com Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 73 reallyfreegeoip.org 2->73 75 lwaziacademy.com 2->75 77 2 other IPs or domains 2->77 97 Submitted file has a suspicious file extension 2->97 99 Found malware configuration 2->99 101 Malicious sample detected (through community Yara rule) 2->101 105 19 other signatures 2->105 10 PO_B2W984.com 1 10 2->10         started        15 Oupzhkpr.PIF 2->15         started        17 Oupzhkpr.PIF 2->17         started        signatures3 103 Tries to detect the country of the analysis system (by using the IP) 73->103 process4 dnsIp5 83 lwaziacademy.com 41.185.8.252, 443, 49746, 49747 GridhostZA South Africa 10->83 65 C:\Users\Public\Libraries\rpkhzpuO.pif, PE32 10->65 dropped 67 C:\Users\Public\Libraries\Oupzhkpr.PIF, PE32 10->67 dropped 69 C:\Users\Public\Oupzhkpr.url, MS 10->69 dropped 71 2 other malicious files 10->71 dropped 111 Drops PE files with a suspicious file extension 10->111 113 Writes to foreign memory regions 10->113 115 Allocates memory in foreign processes 10->115 117 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->117 19 rpkhzpuO.pif 6 10->19         started        23 cmd.exe 1 10->23         started        119 Multi AV Scanner detection for dropped file 15->119 121 Machine Learning detection for dropped file 15->121 123 Sample uses process hollowing technique 15->123 25 cmd.exe 15->25         started        27 rpkhzpuO.pif 15->27         started        125 Sample is not signed and drops a device driver 17->125 127 Allocates many large memory junks 17->127 29 cmd.exe 17->29         started        31 rpkhzpuO.pif 17->31         started        file6 signatures7 process8 file9 61 C:\Users\user\AppData\...\Trading_AIBot.exe, PE32 19->61 dropped 63 C:\Users\user\AppData\...\Microsofts.exe, PE32 19->63 dropped 107 Detected unpacking (changes PE section rights) 19->107 109 Detected unpacking (overwrites its own PE header) 19->109 33 Trading_AIBot.exe 5 19->33         started        37 Microsofts.exe 15 2 19->37         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        44 conhost.exe 29->44         started        signatures10 process11 dnsIp12 59 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 33->59 dropped 85 Antivirus detection for dropped file 33->85 87 Multi AV Scanner detection for dropped file 33->87 89 Machine Learning detection for dropped file 33->89 95 3 other signatures 33->95 46 apihost.exe 33->46         started        49 powershell.exe 23 33->49         started        51 schtasks.exe 33->51         started        79 checkip.dyndns.com 132.226.8.169, 49748, 80 UTMEMUS United States 37->79 81 reallyfreegeoip.org 104.21.67.152, 443, 49749 CLOUDFLARENETUS United States 37->81 91 Tries to steal Mail credentials (via file / registry access) 37->91 93 Tries to harvest and steal browser information (history, passwords, etc) 37->93 file13 signatures14 process15 signatures16 129 Antivirus detection for dropped file 46->129 131 Machine Learning detection for dropped file 46->131 133 Loading BitLocker PowerShell Module 49->133 53 conhost.exe 49->53         started        55 WmiPrvSE.exe 49->55         started        57 conhost.exe 51->57         started        process17
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b/
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-01-02 07:26:10 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szkmxvkt35ri6ufjt3dprnafsamjrq6j5om4ri52j66vqyuqssfq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
error
DBatLoader
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250103-ybsp1ssnfj/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
404keylogger
YARA:
n/a
Link:
https://app.threat.zone/submission/ad3d7a2a-da1d-4f8a-83c6-452f9d651202
Unpacked files
SH256 hash:
6b1af54fe5ad55e8f991321c5c017a9d05a8b523b54a3869fd4e07f057af2e81
MD5 hash:
90db72f94d8be1f3aea02e1030001bfd
SHA1 hash:
6c42c39f663d09f4ad33b651978b42441cd4f2ef
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/bbae177b-7d2f-4a6f-96b6-e9101fe3efa4/
SH256 hash:
9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b
MD5 hash:
f7d9ffe252e26320f26a76fc3f239c50
SHA1 hash:
1b12238410d619f0797042ca0777d7c05b08f410
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/bbae177b-7d2f-4a6f-96b6-e9101fe3efa4/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9654cbd553df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments