MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29
SHA3-384 hash:	13b3c6224843ed8494bc0bdbd58ffa750c0e3293fe0fe16ec8976ea7238a04a0a38e5b9ba6a7142dd5a7e149fd80ba94
SHA1 hash:	d888950686cf246a5e29a8db79014a0d8680f056
MD5 hash:	885b30bae5152a5857afed3ee0a20486
humanhash:	bakerloo-shade-magnesium-magazine
File name:	PROCUREMENT ADVICE AND ORDER.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'362'944 bytes
First seen:	2024-12-19 06:53:19 UTC
Last seen:	2025-01-10 14:52:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2e10263a01b85d4d1c064ae3be7c8027 (1 x RemcosRAT, 1 x DBatLoader, 1 x Formbook)
ssdeep	24576:TS1gzTBokW3THfYl7JTOs1r7FX2DOfqDrKfK8r/4mSwhOSqR:TtTiq973f
Threatray	54 similar samples on MalwareBazaar
TLSH	T1BC55AE13939247A1D8355C706BDE69E65A1CBF20AF74D4361FD0BF4C8F39A4064ABE22
TrID	41.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 31.2% (.EXE) InstallShield setup (43053/19/16) 10.2% (.EXE) Win32 Executable Delphi generic (14182/79/4) 7.6% (.EXE) Win64 Executable (generic) (10522/11/4) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	c4a4400300040404 (1 x RemcosRAT, 1 x DBatLoader, 1 x Formbook)
Reporter	abuse_ch
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

388

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PROCUREMENT ADVICE AND ORDER.exe

Verdict:

No threats detected

Analysis date:

2024-12-19 07:06:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bda159c8-4021-4bc4-a4a4-b98425f60ac7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.18980.5055.UNOFFICIAL

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6763c311653a8698dfdadb3d

Tags:

delphi emotet

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context borland_delphi fingerprint keylogger masquerade packed packed packer_detected

Link:

https://www.filescan.io/uploads/6763c31021bbe1761ca694d0/reports/93156b16-709e-4303-a16c-0021f94af77a/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/56217889-fd15-406a-9ad0-d0e14d891bb1

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1578036

Signature

AI detected suspicious sample

Allocates many large memory junks

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29/

Threat name:

Win32.Trojan.ModiLoader

Status:

Malicious

First seen:

2024-12-18 07:54:24 UTC

File Type:

PE (Exe)

Extracted files:

103

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tagkkyf75t26nzrjmerzb6zsccuxm7dek5hpdl6rr7c7geddjuuq._file

Verdict:

malicious

Label(s):

dbatloader

DBatLoader

406044ba7e007830321b3669505774b9e282502ac958f0cd723e5106c33c4180

DBatLoader

4390ad0a5bd9184058cc6e2fbe64f896f71b0f0e95c27d8769837c6f979b11db

DBatLoader

63c77a3f6cfa94cbc6a4c0c1475f02520592e58d6a03e8553e77a85a3f03c32f

DBatLoader

980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29

DBatLoader

b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5

DBatLoader

error

DBatLoader

fe7ea8656ae589525068edd43cf85db43801652e5bdd8f4053778aba6602de95

DBatLoader

+ 44 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery trojan

Link:

https://tria.ge/reports/241219-hn8zrstrcr/

Behaviour

System Location Discovery: System Language Discovery

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e5101693-bcc1-4777-be7c-b48fcd158e80

Unpacked files

SH256 hash:

875c4f442b564542317a1e59da938fd4328e1b5e8506aeda9156514e6dc85cbe

MD5 hash:

1b4fa5905697db1ac81c9feb0e20a280

SHA1 hash:

ee5de783b8b6e6d0ac8bd0c93ae24678e992195f

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/dadcde25-0274-48c4-b9e9-da4c1afd3090/

Parent samples :

b9803b83ed42e8f63e73719cfffeff30ecfabeca676a3a04a087754e2608a1c5
4390ad0a5bd9184058cc6e2fbe64f896f71b0f0e95c27d8769837c6f979b11db
980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29
406044ba7e007830321b3669505774b9e282502ac958f0cd723e5106c33c4180
63c77a3f6cfa94cbc6a4c0c1475f02520592e58d6a03e8553e77a85a3f03c32f
baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d

SH256 hash:

980ca560bfecf5e6e629612390fb3210a9767c64574ef1afd18fc5f310634d29

MD5 hash:

885b30bae5152a5857afed3ee0a20486

SHA1 hash:

d888950686cf246a5e29a8db79014a0d8680f056

Link:

https://www.unpac.me/results/dadcde25-0274-48c4-b9e9-da4c1afd3090/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetDriveTypeA kernel32.dll::GetVolumeInformationA kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::QueryDosDeviceA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::PeekMessageW user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample