MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8
SHA3-384 hash:	215834f677f787b8e5cbf74e1a53748486c4c87feb15543c35ab66c42fd64e8632deb69f68516098b4e914272d2fe7fd
SHA1 hash:	d5283886f1e16191eef12a1fd450b940ae4587d8
MD5 hash:	dfea6e8eee2e4ae2e3df115696904386
humanhash:	potato-lemon-nine-twelve
File name:	Popis nove narudzbe u prilogu.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	680'960 bytes
First seen:	2022-08-22 06:19:36 UTC
Last seen:	2022-08-22 09:35:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	efadce79e5ca7683e5d4297b48c3e366 (3 x DBatLoader, 1 x Formbook)
ssdeep	12288:JJv4Exdl+xPS9zFdqQxN42zvM/bgiXqYaSBW4:J54wUJSl3r42TAbgq44
TLSH	T14AE48D72A991C0F3E3762538AD5B92346529BE50E9295C4D36DC7E4CBB383903C1AEC3
TrID	68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.SCR) Windows screen saver (13101/52/3) 0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2b1716cccce9c98 (3 x DBatLoader, 1 x Formbook)
Reporter	lowmal3
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Popis nove narudzbe u prilogu.exe

Verdict:

Malicious activity

Analysis date:

2022-08-22 06:20:58 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/d4694d3a-130d-4943-9bf3-4c7ef368fe72

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/300134/

Detection(s):

SecuriteInfo.com.Downloader-FCIV0174847A0879.30531.31657.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

DNS request

Launching cmd.exe command interpreter

Creating a process with a hidden window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/29630/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger overlay zusy

Link:

https://www.filescan.io/uploads/63032059393b1c8c4702d943/reports/57e3a825-af83-45dc-a147-fa05b9ed8c60/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93c30658-74e0-4e61-8fcf-8f4fcfdeac8a

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1055312

Signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2022-08-19 23:42:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tlmmyxelrbuqu2sxbfweox2umossynl7hr76h6fud472payn464a._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:modiloader family:xloader campaign:euv4 loader persistence rat trojan

Link:

https://tria.ge/reports/220822-g3rtcscacj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Xloader payload

ModiLoader, DBatLoader

Xloader

Unpacked files

SH256 hash:

033563ec8c3a1421d4c88b294f39d4636a3d391c9c730be8f5cabb95f0722a35

MD5 hash:

fccb58c661ea686cd4f40d307dff9ae3

SHA1 hash:

1fa63ddc403c4754379da06aa34c29f08c9667d0

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/9700b036-9d25-49f2-838f-3d875324f33a/

Parent samples :

6339c766a4dc8aa6922bc9b4ff3baabac8691ea29f11428a6cd48c1b9302f7b6
aabc8f775c58a95c36f370039a5ba9d30f6bf981c665d58bb32babe9368a22e3
8545a266a50d8b5dc65790c7ce2b6d74f89641c731d53b44bc5b89cd143c3303
9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8

SH256 hash:

9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8

MD5 hash:

dfea6e8eee2e4ae2e3df115696904386

SHA1 hash:

d5283886f1e16191eef12a1fd450b940ae4587d8

Link:

https://www.unpac.me/results/9700b036-9d25-49f2-838f-3d875324f33a/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ad8cc5c8b88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

exe 9ad8cc5c8b88690a6a57096c475f5463a52c357f3c7fe3f8b41f3fa7830de7b8

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/300134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample