MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7
SHA3-384 hash: b501b07f5e6ffa450145f96d58c1b2e479fa809fa5871402b353422379e2b33e6adba543b7aeacd75f3f527b94f7ca98
SHA1 hash: 843c638df1fe7f15c4737ff89646b4b861e7b135
MD5 hash: 2b085a0ecc69a8f0cbd2c32c1f89e4d7
humanhash: jig-potato-social-lactose
File name:Purchase-Order26453784839.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:966'144 bytes
First seen:2022-08-02 18:18:10 UTC
Last seen:2022-08-03 07:02:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f2a5ba208506b49b681af6fe077e44e (6 x DBatLoader, 1 x ModiLoader)
ssdeep 24576:Jeq1bWjPd8Y5Q0MFxdNLdFRlz8d52Ep8rOU:JeLValFoorx
Threatray 17'914 similar samples on MalwareBazaar
TLSH T1A3258D36A2A0C437D0A32A749C0B57F89D27BE51293498462AED7E8C1F377613D713A7
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33f0d8f6b694d031 (6 x DBatLoader, 1 x Formbook, 1 x ModiLoader)
Reporter GovCERT_CH
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
383
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Purchase-Order26453784839.exe
Verdict:
Malicious activity
Analysis date:
2022-08-03 05:55:17 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/00de7a78-b9be-4147-af09-93ac04cee44a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296007/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Stealer.12c.10827.31655.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger packed wacatac zusy
Link:
https://www.filescan.io/uploads/62e96ae1bcf76fcb6cdd3521/reports/5277c71e-eeb6-450e-b832-c28a411d120e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8573e998-12ae-45eb-a30d-e487fcea1c30
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045107
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 677607 Sample: Purchase-Order26453784839.exe Startdate: 02/08/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 5 other signatures 2->52 9 Purchase-Order26453784839.exe 1 18 2->9         started        process3 dnsIp4 44 timajskema.ydns.eu 208.67.105.81, 49755, 49756, 49773 GRAYSON-COLLIN-COMMUNICATIONSUS United States 9->44 34 C:\Users\Public\Libraries\Bpfixx.exe, PE32 9->34 dropped 36 C:\Users\...\Bpfixx.exe:Zone.Identifier, ASCII 9->36 dropped 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Creates a thread in another existing process (thread injection) 9->66 68 Injects a PE file into a foreign processes 9->68 14 cleanmgr.exe 6 9->14         started        file5 signatures6 process7 signatures8 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 17 explorer.exe 2 14->17 injected 20 WerFault.exe 14->20         started        22 WerFault.exe 14->22         started        process9 dnsIp10 38 192.168.2.1 unknown unknown 17->38 24 Bpfixx.exe 14 17->24         started        28 Bpfixx.exe 15 17->28         started        process11 dnsIp12 40 timajskema.ydns.eu 24->40 54 Multi AV Scanner detection for dropped file 24->54 56 Writes to foreign memory regions 24->56 58 Allocates memory in foreign processes 24->58 30 cleanmgr.exe 24->30         started        42 timajskema.ydns.eu 28->42 60 Creates a thread in another existing process (thread injection) 28->60 32 cleanmgr.exe 28->32         started        signatures13 process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-08-02 11:53:37 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u26hkxnw2oyi33hxa4gnz7epbwkerz6da2jwxsss5kfuzpn2zpdq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09a7e10a1a6d589f868ad25906c6fe212c9d1bd68772f59f55fbb0b528e8ec8a
DBatLoader
23d18a124c44e1f80a9eed03f108139f21a9cbfe060b36211bf21c6cf7213a16
DBatLoader
3c4180a41539d6bb417287a3ef07eb27b1d14b46302514c37311ade6da6cb451
DBatLoader
51ae31774cff03dd6fcdfc5fbcd7e144348c248aaa5c27802b8865b6494a508a
DBatLoader
684782ca20359680b64b720ee81fbb5653fa3a13661c06c61c4a80af50fcdcb9
DBatLoader
70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61
DBatLoader
c4a35b4d76541563fe9c5d9fe44e552cce59fd02c1746938676c9d5aab6f5650
DBatLoader
c8fc44d1f9bae45933ba95a20f0aebf0e69f8304ea11a4346e610dfacc8ce049
DBatLoader
efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff
DBatLoader
+ 17'904 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/220802-wx6snahgd2/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/fd255ed1-7f1c-4c0f-9770-791858ff209d/
SH256 hash:
a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7
MD5 hash:
2b085a0ecc69a8f0cbd2c32c1f89e4d7
SHA1 hash:
843c638df1fe7f15c4737ff89646b4b861e7b135
Link:
https://www.unpac.me/results/fd255ed1-7f1c-4c0f-9770-791858ff209d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

iso 498baff52ad2a419108074d90b6eb085afcc91ee2a881dd78aa37185779243d0

DBatLoader

Executable exe a6bc755db6d3b08decf7070cdcfc8f0d9448e7c306936bca52ea8b4cbdbacbc7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/296007/
  
Dropped by
SHA256 498baff52ad2a419108074d90b6eb085afcc91ee2a881dd78aa37185779243d0
  
Dropped by
MD5 cd3aacfe675dfa4fccd2ccd50e52c6e7

Comments