MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
SHA3-384 hash: 8acd1432c8426e90627cb3f612954f986830df98317f91fc655af59a91313f0ba83d765c2423b40077c12e3b764c8358
SHA1 hash: f9d61407ef2d37bb7b259a70b1b5ec9c313adb4f
MD5 hash: 1e0694e3069baf2913afecda1719d383
humanhash: white-montana-december-sodium
File name:SecuriteInfo.com.FileRepMalware.12579.397
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'010'688 bytes
First seen:2023-10-16 11:50:54 UTC
Last seen:2023-10-23 17:25:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 003d3d12d28525a81de6bbbfc27b008c (5 x DBatLoader, 1 x Formbook, 1 x Loki)
ssdeep 24576:PKEbMgZ1x1BaPhO/TvtcY6Rs7bvteS+BfKZ5puZP:iEogpU6T+Yoo5puZP
TLSH T14025B063E2920637D073C6346D47E36D5B297E342A7C384A6BE92C189F396853C1B397
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f0f0d4dcc8c8dc (4 x DBatLoader, 1 x Formbook, 1 x Loki)
Reporter SecuriteInfoCom
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.FileRepMalware.12579.397
Verdict:
Malicious activity
Analysis date:
2023-10-16 12:05:17 UTC
Tags:
dbatloader rat remcos remote keylogger
Link:
https://app.any.run/tasks/0885310f-3138-41f7-8f6a-0ab3bd625be1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/454846/
Detection(s):
SecuriteInfo.com.FileRepMalware.12579.397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware keylogger lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/652d23a6a29a700213a3841f/reports/ae9dcef9-c72e-436f-80d6-76a0ca326224/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/977c4b38-3d1e-475a-92be-5e1509f5aea2
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326448
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1326448 Sample: SecuriteInfo.com.FileRepMal... Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 62 web.fe.1drv.com 2->62 64 ph-files.fe.1drv.com 2->64 66 3 other IPs or domains 2->66 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->78 80 5 other signatures 2->80 12 SecuriteInfo.com.FileRepMalware.12579.397.exe 1 7 2->12         started        16 Nettdavl.PIF 2->16         started        signatures3 process4 file5 56 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->56 dropped 58 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->58 dropped 60 C:\Users\Public\Libraries60ettdavl.PIF, PE32 12->60 dropped 106 Drops PE files with a suspicious file extension 12->106 108 Writes to foreign memory regions 12->108 110 Allocates memory in foreign processes 12->110 112 Allocates many large memory junks 12->112 18 colorcpl.exe 5 14 12->18         started        23 cmd.exe 1 12->23         started        114 Multi AV Scanner detection for dropped file 16->114 116 Injects a PE file into a foreign processes 16->116 25 SndVol.exe 16->25         started        signatures6 process7 dnsIp8 68 20.110.88.130, 49709, 6334 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->68 70 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 18->70 54 C:\Users\user\plocaa.dat, data 18->54 dropped 82 Contains functionality to bypass UAC (CMSTPLUA) 18->82 84 Contains functionalty to change the wallpaper 18->84 86 Contains functionality to steal Chrome passwords or cookies 18->86 100 2 other signatures 18->100 88 Uses ping.exe to sleep 23->88 90 Drops executables to the windows directory (C:\Windows) and starts them 23->90 92 Uses ping.exe to check the status of other devices and networks 23->92 27 easinvoker.exe 23->27         started        29 PING.EXE 1 23->29         started        32 xcopy.exe 2 23->32         started        35 8 other processes 23->35 94 Contains functionality to modify clipboard data 25->94 96 DLL side loading technique detected 25->96 98 Contains functionality to steal Firefox passwords or cookies 25->98 file9 signatures10 process11 dnsIp12 37 cmd.exe 1 27->37         started        72 127.0.0.1 unknown unknown 29->72 50 C:\Windows \System32\easinvoker.exe, PE32+ 32->50 dropped 52 C:\Windows \System32\netutils.dll, PE32+ 35->52 dropped file13 process14 signatures15 102 Adds a directory exclusion to Windows Defender 37->102 40 cmd.exe 1 37->40         started        43 conhost.exe 37->43         started        process16 signatures17 104 Adds a directory exclusion to Windows Defender 40->104 45 powershell.exe 25 40->45         started        process18 signatures19 118 DLL side loading technique detected 45->118 48 conhost.exe 45->48         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-16 07:42:09 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=upeet4lek726c4hfstd4ucrpxmjntyke5a7fdwj7j6vy2yvf32ba._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:mirror persistence rat trojan
Link:
https://tria.ge/reports/231016-nz5z5sea21/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
20.110.88.130:6334
Unpacked files
SH256 hash:
b84daaf8a74ca536da7ec9c2a72d418ebe2db4462b99d7ee69fbc4713ffc8930
MD5 hash:
e943ba5fb84c37030c0daf907c79825c
SHA1 hash:
d393d513939c6a4b1e5fb2598ef14ed424fcb9e2
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/89e3d741-bf30-4589-a1f7-0d65e09c3eed/
Parent samples :
a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
f95d84bd16012696182588589d691c5eaa131d28b7dc53cad85d497d61dab85f
6b390b01eb98d6376430626d51e2745f1a4f57cf89b9b6cfb81f968d44af09c8
2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
e329d4fdf3557b00cfd9044dbd12048077fcb6f8cdbaf1553308e292bf6a3707
9fd26cbae8d741263a304f7532107d61d6e78b91a1e551dc2822131dc70eddc0
f76b8555effde0257cd4c22e62e7aeb3c4f055bac15cc24c46de1292fe7b034f
035f5ee40a4986872d3480fa5d5e96e4dd56c0d1b93cd77a82cadce3283243e7
c9f192e7d1592bfc56e3209da73bbf5fb8a5fbcfcc2d492dbdddfc60c77a1d20
af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650
4397154fc1574bb682c055e6c5cefd36155aa07928edce3593ef38cb975b1f0f
267f54dc36591c1746dba949c776e015c9c89be7a11f4c3ebf7ab0fb4510e0e3
129a9a2dbbd1c3f8c82b66d020ec59b82878ab94a30647902d80dbeb92f74878
4b45c80c13d9143811cacdda64ac2e4cab04fe6262e16cb813836fd244ff5b9c
13a14e45ca00f015b20954bfd7eed1a9eaf0a763da1d155e673e53d31821abb1
582cf4bb7c3f703cb6bbacd2bfa8a1d2f098ca11e0d0fddb8c1d8e812ddc2d69
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
e4fbd0f46d093579c855bf711e874a5ba4e6f3ea047ae5964a08bfb1e762d4f6
204d5541a347bee64224d392403286271bc2351c50101e89b19e896f1756b389
48b290c2bfc5741616cef2f1904acebfc3366cfc99388f075aeb26100881ea98
f45307b5999dab601bb6371d4617cb7378d352e234f1df11b5ba41d779a90564
7a79cdd88f52bd9acdbe1b312bf1583e09827d58b293f53a3d261a654dcfb1df
04f083fb8b7b8ff01c98b972859d03db4de185f81877e180317792e2361043cf
85ca618bef7b97885f9f8c83a5abcb5afcafe9b6ffc3db6893a0dcdd61f6a891
53ac3a6c6aa59e943cff071d3100d55d826268f96e2366ddad3b32fe8c9b98e2
771af3e897f1d32625cdc3cf41d76dcfd21ae27994b721ae6c7cb82bcb284789
b1ca8bbed94ba2690e722c88c1af75082b8a4abf9d7f70206f986746aaa0eae2
39b4aba5e8641981ee7c36537c71403e038895c5699f172498fb99f51f994b85
6b1c7f3b04daf1250db40b85131f39811315781ca521135b7648f453bfbe55cf
22e384543598c8f6d4b45b6d19c09f23e08429a89bb3fe580b368c8aecb9663b
f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff
7e0c562b58d5c2183c98af42b5ff6b6cee6d7d82ad89e773bf0ba9c7f67c04b4
14323b6d2d712b7cd421ca1f6c0d25343fbb7cb94144e338d7a042f0f421e3b7
96df4af7b51b4a03a7014169c0862ed5820d4326d217f5ef4e099c1667a8045d
c2f8b88850fcbc4df88e6708b12a265ed133ba04702f89ae9cf1da504c11bc6e
452fa0451a2bb4c555368aec8f070a3db895414d43e089af54431ebf89d50841
d9c05e4806384074097aabfbdd8965b3767d673f9032b06bed207fda7feccbd7
3ba6ce638dcb1c82a2d3096edcc46a1d5086b9233c4e8be471ba748af9d9b41a
b2a65a2aa1c5bed21112712762ddb73f254219e8037e57c984c1bcd65ad576a7
448a8114208fbb7d2e83c81d59bc262d6857937ec0bceeebda75ad978265b5dc
9dbe21429d77afca07940928b39d0e7c9d994ea9d10a651ccd5189d4522be1cf
cf9cebd5de732b485456f6de49e70b488fb4658c48af572b16b6b2943dfadd50
214d29953c8211d48c06ce4e16239920b4ed1e148428a9165dcfe184fd6ab619
2a347e81537122aca6656bd41eab07d8abd57d85684e71c877650c96963f9123
8282976c399101d48a2f46771f768d37f4de4124d00f4ba8f01d63d6ef935c1a
c016c2649684722dc1e308e080f1739f3314927b3c022f63ad7da9caacd79a63
ea854ab77631dbf87f8a69de2f865d33751dcd3fe5b0284c38e12de2f471a9a4
1868a740c4a9ad3f6df9ee149c74de5744e3488faa33bf3c9811882fbb5d76af
c6e6d9dd75af4dd8ec008e9dc75688b0325d31c822eef311783feaffff7c0dbb
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/89e3d741-bf30-4589-a1f7-0d65e09c3eed/
SH256 hash:
a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
MD5 hash:
1e0694e3069baf2913afecda1719d383
SHA1 hash:
f9d61407ef2d37bb7b259a70b1b5ec9c313adb4f
Link:
https://www.unpac.me/results/89e3d741-bf30-4589-a1f7-0d65e09c3eed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3c849f16457/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/454846/

Comments