MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70
SHA3-384 hash:	2da7920aef12c9b9b5ed1ca9faa305c491cacdb383dad2575883bd3f592cf4f33f8449c7f8e60a28154145a44751406d
SHA1 hash:	e730de71c59328b75efb6e84e849d510d36de2bb
MD5 hash:	d29a1333bcf7ee54fd018eade4ea9b6e
humanhash:	golf-december-ohio-enemy
File name:	Ktxjyphnzqtbbb.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'434'624 bytes
First seen:	2022-12-07 18:35:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	070467b011c49b65754065ce0577d1f7 (2 x DBatLoader)
ssdeep	24576:xBZ4bu718KC7zwTt1XPb5BEVpFEJNhMhtrjxLF7Z//ronB:x8MOCx2hE7h+1lLFxMnB
Threatray	2'296 similar samples on MalwareBazaar
TLSH	T173659E13AD51883BC072197C8D4B92A7D4367D003AEB9C762AED7D8C6F39651383E267
TrID	44.6% (.EXE) InstallShield setup (43053/19/16) 14.7% (.EXE) Win32 Executable Delphi generic (14182/79/4) 13.5% (.SCR) Windows screen saver (13097/50/3) 10.9% (.EXE) Win64 Executable (generic) (10523/12/4) 4.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1011d6aa2ad42001 (2 x DBatLoader)
Reporter	0xToxin
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

Vendor Threat Intelligence

Malware family:

bitrat

ID:

File name:

Ktxjyphnzqtbbb.exe

Verdict:

Malicious activity

Analysis date:

2022-12-07 18:40:44 UTC

Tags:

installer trojan bitrat rat

Link:

https://app.any.run/tasks/f1c6b085-38ef-468e-babd-6b8a2953aab4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/344094/

Detection(s):

SecuriteInfo.com.W32.GenKryptik.FYXW.tr.6304.31089.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger packed

Link:

https://www.filescan.io/uploads/6390dd16f6e448d42df78d32/reports/115e5050-6792-4943-8f50-2e26c19d7627/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8fb62625-fe6c-450b-9c4f-44b640a10c2e

Result

Threat name:

BitRAT, DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1130233

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides threads from debuggers

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Yara detected BitRAT

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-12-07 17:16:42 UTC

File Type:

PE (Exe)

Extracted files:

132

AV detection:

15 of 25 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vhnhwjbl5c5ab424jamdxfj7lz4szfekk7wraq7wownfwyprtvya._file

Verdict:

malicious

DBatLoader

1a28af1d858e4d8650c914eb319c09d28a50c262ce42d236737f3d38a617c99c

DBatLoader

1f58e0127c25c0a356436a3c78bcf05de2afacff0cba41275972d25a4be0bbfd

DBatLoader

5b1f1843bbb992e3d5c635aa69d8409de4ae4d3f04cf19994d8e953e99cf451a

DBatLoader

7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da

DBatLoader

9b60c965a1425ff01954ce6a917cb4486d5af5cb36f538233139042ea324a64e

DBatLoader

ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9

DBatLoader

cc6e538004f2725145291a264b3f8d9835566c9950fcda9a11fc19d40fd44b26

DBatLoader

d40b7d79822917e150fd3975a74e643c736bf55fb7173df40494f8afab138da0

DBatLoader

eb77240415767631cd46725bf985bd034d5b005a939ea60785ebe2e45aa5541a

DBatLoader

+ 2'286 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/221207-w8xdcsag2z/

Behaviour

ModiLoader Second Stage

ModiLoader, DBatLoader

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b1d848d6-b852-4943-af86-0cfdcefb899d

Unpacked files

SH256 hash:

5c90e87df09275cfcb46e0452d77e149f3fbc59d55bda76e62e6fa11ae1de693

MD5 hash:

ee94f46ed9b387ad243c36c1cb062686

SHA1 hash:

6e0c4dc795dec2dce9454fbb246afabffd2039fc

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/30ea9c8d-a820-49a8-820a-8b8008ae0f7f/

Parent samples :

4ef967caea627a1b9cd7f74d31584b69d76f8c532cee528e8815c4f70ae24aa7
dc35d3d87c8f062b000472a46ec166c5bf8f399f95c02717eab4ce542043afd7
bb01ebad742a61a5aee09777d88a01e627d29171513c335f52c57c41c7e41ef4
0dec26f0ed31eafa41f5141a4342f84f5245ba6d097904ed1fdb11a6df1ce606
c2c6eec67a1561c3a49179ddf756480876d92588c2e83d64246a04c3d724cb3d
f53107b892a50e33ff130e01cf391a2b69524dbe09b75cc13192365bbd6eda11
9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e
109ab3837f865b4ba288ca4a1fa4e8d416c04b3686376c55128553d4a4db55b5
1fdbc93a0a891ff9ca424bb90bd696140b5918583ad6e0f2fcce012640cde8dd
230b07866371131de12907f26f06a9cfa27762c499f93cae840c198ea9e46846
494e56903190304bab1c27786bd1f60aeaede9b478b2bca17474602414b82688
db399100d63fa87dbc5d6596d2c44749c0cee86ea45d7e81206277c9cdacb9f1
16ba74e590acbf2a285ae1e15864ef7cdeff576542f0f430ab83481ea52b729a
ffa9f3d0e3d4d29b10cba30fe3394d538b8c415e9c29cf36a56990e9204ec7bf
0305b3a95aff122c888a200de747a565208ea19494c8257b0c972084141f42c4
c84d9cb4b4e037cbaf9632d4cdd0f493d2c5e0b5f6308fe97f84f04b501155c8
a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70
e7298f63b0ee46b470e6c7323087e2af9fe4802ed93674d1408f10d03989a7f6
e6303d0730eaecd16e8a3becf77fce3d5da13155d2e27e102ecc2b700ad42814
105ffb0a1b83441a798498a4b1a535fce7f496304b39bd555f18df3678f19c13
ca13eac154ad479e2234deac0f07989db25e4d50c47cdc7f4f31dd7ab71dc087
03daa8dcea75f814b344785dc1f52222cd4461bccc17a35f032efe81e47d18be
6246a9212db799df597fe34bcbeeeb08dad116b7cf3cd4c8037d42d1d0b4256a
aaa28e71ec8aad860fdc9f517c151b85be433e142160341f2aa399d9c60d11cf
f974cf4bda9a65b7a2573726e3808c696f6a5e54b89f08807764d9ab2a06a5c1
b8002e076820615fe2b14369e7d258ff2984cd832a38de4f1450b84813b283c5
de8c5c01bab7e747f3cd3f276d7cf3c839600131987cbcfcd5314f9af6d64b05
7cec52ddbd0c2037de1b4ad9eedcbedbfc005cb558c7f326dcf66c800e7875f1
91dd17921c69af057a78759611885bb04ebc68a9ec38ca08067c496f9e76a241
b0d85d76e52034986c3d4e165a745c04b3af21d1c5692719d1b66bceafc76423
af5ecbd67c2195a72178b6b0a886715d4b28fd064717dd3193a477563c5be6b6
7a91675248e7d9891570e731b1dce694054d9db90f14bb4a74d5a9fd571af758
878257b5d411ceedf80fcab13183bd22ea6183a86c8d5a99a7ff08dd01567fc0
c4cd277e81aec420cdf23a0d5ebff50b0d64dd9c6b3b1942567c263032f64deb

SH256 hash:

a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70

MD5 hash:

d29a1333bcf7ee54fd018eade4ea9b6e

SHA1 hash:

e730de71c59328b75efb6e84e849d510d36de2bb

Link:

https://www.unpac.me/results/30ea9c8d-a820-49a8-820a-8b8008ae0f7f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a9da7b242be8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a9da7b242be8ba00f35c48183b953f5e792c948a57ed1043f6759a5b61f19d70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344094/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample