MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc
SHA3-384 hash: e9f0bf5e9305602aecb3ba230ad90dc02c636c7d9f62e05fe59ee42dfff20cc3e385ba044fc7b90845711c9c3403ff0f
SHA1 hash: 73283af8f980c6cd862f9debc7b9e59a38253743
MD5 hash: 387fa1e2bbdb422bca43db0283a99670
humanhash: triple-papa-connecticut-red
File name:Confirmarea comenzii.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:2'713'600 bytes
First seen:2023-11-08 08:15:11 UTC
Last seen:2023-11-08 10:42:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cd4c9aaa1a9827538687e74814589bd (10 x DBatLoader, 1 x Formbook)
ssdeep 49152:7xWIu4XYOtRwohuzcMwF5yNkr+eHlBJ/k2ID2A9RC0d3:7UIkOAxcMEyNkrzpDxe
TLSH T156C5E133E25120B3D276893EEC1A5664183ABA713D1C6743BF973D6C1E345B4BA172B2
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 74f4d4d4cc8cdcc4 (12 x DBatLoader, 1 x Formbook)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Confirmarea comenzii.exe
Verdict:
Malicious activity
Analysis date:
2023-11-08 09:00:06 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/ce6fe4aa-9f6a-4497-82ec-a8a4a049c251

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.9106.27188.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control greyware keylogger lolbin overlay packed replace
Link:
https://www.filescan.io/uploads/654b43db946b6ab2245b38fe/reports/3a78b4df-45de-429e-865f-ca305550c1d8/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IEInspector Software
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0558c0fe-73ff-465c-9b5a-e064c0de6cff
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338906
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338906 Sample: Confirmarea_comenzii.exe Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 43 www.visawe.online 2->43 45 www.themesterofsuepnse.rest 2->45 47 14 other IPs or domains 2->47 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 6 other signatures 2->67 12 Confirmarea_comenzii.exe 1 2 2->12         started        signatures3 process4 file5 41 C:\Users\Public\Libraries\Zfkdicvo.PIF, PE32 12->41 dropped 79 Drops PE files with a suspicious file extension 12->79 81 Writes to foreign memory regions 12->81 83 Allocates memory in foreign processes 12->83 85 Injects a PE file into a foreign processes 12->85 16 colorcpl.exe 2 12->16         started        signatures6 process7 signatures8 55 Maps a DLL or memory area into another process 16->55 57 Sample uses process hollowing technique 16->57 59 Queues an APC in another process (thread injection) 16->59 19 bTAVknzipvqlGCUJMOuiaD.exe 16->19 injected process9 process10 21 NETSTAT.EXE 13 19->21         started        signatures11 69 Tries to steal Mail credentials (via file / registry access) 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 73 Writes to foreign memory regions 21->73 75 3 other signatures 21->75 24 explorer.exe 10 4 21->24 injected 28 firefox.exe 21->28         started        process12 dnsIp13 49 www.78669vip.com 156.234.20.4, 49734, 49735, 49736 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 24->49 51 www.christmatoy.com 79.98.25.1, 49730, 49731, 49732 RACKRAYUABRakrejusLT Lithuania 24->51 53 7 other IPs or domains 24->53 77 System process connects to network (likely due to code injection or exploit) 24->77 30 Zfkdicvo.PIF 24->30         started        33 Zfkdicvo.PIF 24->33         started        signatures14 process15 signatures16 87 Multi AV Scanner detection for dropped file 30->87 89 Writes to foreign memory regions 30->89 91 Allocates memory in foreign processes 30->91 93 Injects a PE file into a foreign processes 30->93 35 SndVol.exe 30->35         started        37 colorcpl.exe 33->37         started        39 WerFault.exe 33->39         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 06:28:53 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szygie6zsk4ihlsvgiarkcrgligdly5f5d4jzx4opk2bie2kjh6a._file
Verdict:
malicious
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/231108-j56fmshg49/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/84ed15a5-9736-44bd-87f8-799f589aa32f/
SH256 hash:
150de73f8455e11abf5c2c2b776560d9da43324a7cc7abd84b1eaf113d98a0af
MD5 hash:
e34cd1c5a96898acdfcec72c613df292
SHA1 hash:
1e89b97f1325565403045fb67f5796573dfc8807
Link:
https://www.unpac.me/results/84ed15a5-9736-44bd-87f8-799f589aa32f/
SH256 hash:
5a4f8f7e7ecd6e79efdb0345991996d3b61c5d84e643f206655ff52be8278902
MD5 hash:
f720d41f0bfd5363a05fee1b1cc33613
SHA1 hash:
153bbf934e1a75bd40a983447a9e05b6585a2675
Link:
https://www.unpac.me/results/84ed15a5-9736-44bd-87f8-799f589aa32f/
SH256 hash:
96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc
MD5 hash:
387fa1e2bbdb422bca43db0283a99670
SHA1 hash:
73283af8f980c6cd862f9debc7b9e59a38253743
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/84ed15a5-9736-44bd-87f8-799f589aa32f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96706413d992b883ae553201150a265a0c35e3a5e8f89cdf8e7ab414134a49fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments