MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60
SHA3-384 hash: 65440e26487e7a6b36a8c056b9b6496d385dd67b1af304e13a04dc9f8b42798de87db5a4d3b4bd1accba8d9642178e1f
SHA1 hash: 821b698a5ff5285cab17f8a139307cd30ad183a1
MD5 hash: 0ecdae9fca6925995ec4a3db95462410
humanhash: nebraska-avocado-mississippi-jig
File name:Potvrda narudzbe. RS0324452672.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:966'144 bytes
First seen:2022-08-03 07:50:38 UTC
Last seen:2022-08-08 08:07:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f2a5ba208506b49b681af6fe077e44e (6 x DBatLoader, 1 x ModiLoader)
ssdeep 24576:Jeq1bWjPd8Y5Q0MFxdNLdFRlz8d52Ep8r6U:JeLValFoor1
Threatray 14'525 similar samples on MalwareBazaar
TLSH T188259E25B2918437D1A31A385D1B93F89827BE542E3494856BED3E8C5F3B3603E753A3
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33f0d8f6b694d031 (6 x DBatLoader, 1 x Formbook, 1 x ModiLoader)
Reporter cocaman
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Potvrda narudzbe. RS0324452672.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 08:01:11 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/28592f2e-5720-412a-a15f-2137e6cb28bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/296105/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Stealer.12c.10827.31655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Launching cmd.exe command interpreter
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62ea28ead40ca366615abf5f/reports/3cd56eda-ff62-4bdf-8b4a-65a1d869ace3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d4fceb4-3ffd-4da2-80bb-54effa57a5a5
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045455
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 677949 Sample: Potvrda narudzbe. RS0324452... Startdate: 03/08/2022 Architecture: WINDOWS Score: 100 29 www.68135.online 2->29 31 www.77777.store 2->31 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 11 Potvrda narudzbe. RS0324452672.exe 15 2->11         started        signatures3 process4 dnsIp5 33 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49763, 49766 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->33 35 onedrive.live.com 11->35 37 2 other IPs or domains 11->37 53 Writes to foreign memory regions 11->53 55 Allocates memory in foreign processes 11->55 57 Creates a thread in another existing process (thread injection) 11->57 59 Injects a PE file into a foreign processes 11->59 15 cmd.exe 1 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 2 other signatures 15->67 18 explorer.exe 15->18 injected 20 conhost.exe 15->20         started        process9 process10 22 WWAHost.exe 18->22         started        signatures11 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-08-02 18:10:36 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjvtqfgrk4p5gclbebxlcxj277wgjbvszynkcrgw6otykthmvvqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6fd7a41af249df56ac2cc4f2b9175421c9ffa25b71c759657a24a97296bd3bd8
DBatLoader
79efff3c21df7739b3bf710f18e7ab3c90ae86e0a189f494a59b1cecc2b2b7bc
DBatLoader
a7d2dcd22de6c9f87960fbad826eafd2a0f300a9a5844d72c39497375020ae47
DBatLoader
aa38c8327df5d1755de504ea0eccf988a34c786d80f0becb3e99491527289089
DBatLoader
b4b64ed30a8c7d548863ab6413f5cde17febc786cb803506e64441c0c2a510ab
DBatLoader
d4e437669746f9e7b805c76df906b7b1ed0aeca2dafb7249e8535aae116e1b6a
DBatLoader
+ 14'515 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader rat trojan
Link:
https://tria.ge/reports/220803-jpt3nsgff3/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/36a778a8-d9ff-4972-bc53-a3b3769ca880/
SH256 hash:
9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60
MD5 hash:
0ecdae9fca6925995ec4a3db95462410
SHA1 hash:
821b698a5ff5285cab17f8a139307cd30ad183a1
Link:
https://www.unpac.me/results/36a778a8-d9ff-4972-bc53-a3b3769ca880/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9a6b3814d157/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

zip 4e28ee862341cc547ed747d3b33502f28c7fc6f59a076519345e419807d733a8

DBatLoader

Executable exe 9a6b3814d1571fd30961206eb15d3affec6486b2ce1aa144d6f3a7854cecad60

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4e28ee862341cc547ed747d3b33502f28c7fc6f59a076519345e419807d733a8
Cape
Cape
https://www.capesandbox.com/analysis/296105/
  
Dropped by
MD5 af30b124bc87c14dd6725b536f42296a

Comments