MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458
SHA3-384 hash:	c1bb6da24a3b250c0b8a0d2804b0a342186342f933074a9c5a1b46cdcd5a979e2a4826bd5e8f91791f344f84f7ec2c66
SHA1 hash:	3eef49c335472e5a2396073063165a4a0cebb1ec
MD5 hash:	53fc85222ee60d242321ebe675a09b51
humanhash:	winner-eighteen-don-victor
File name:	SecuriteInfo.com.Variant.Ser.Babar.6891.14596.12981
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'257'984 bytes
First seen:	2023-09-12 09:34:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	59eab0f115b3ea37d90660e2b73461ab (1 x DBatLoader, 1 x Formbook)
ssdeep	24576:ddDc3+XfJBHW4gHgSLCEYbrzaEGNg9vdXg:dAzNgRdXg
Threatray	18 similar samples on MalwareBazaar
TLSH	T141457D54A2934832E02B25FCCCC626E1686F3E543A24ED4D67B43C7BBE76755792802F
TrID	30.5% (.SCR) Windows screen saver (13097/50/3) 24.5% (.EXE) Win64 Executable (generic) (10523/12/4) 15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	64e0d4d6c4c6d0d4 (1 x DBatLoader, 1 x Formbook)
Reporter	SecuriteInfoCom
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

SecuriteInfo.com.Variant.Ser.Babar.6891.14596.12981

Verdict:

Malicious activity

Analysis date:

2023-09-12 09:37:57 UTC

Tags:

dbatloader formbook xloader

Link:

https://app.any.run/tasks/23e7e57f-34c5-4516-a2b5-3d9628b27a73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

ModiLoader

Link:

https://www.capesandbox.com/analysis/448125/

Detection(s):

SecuriteInfo.com.Variant.Ser.Babar.6891.14596.12981.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control keylogger lolbin replace

Link:

https://www.filescan.io/uploads/650030cd9bae8a378553a625/reports/9d8b38cf-1a53-4c29-ab4f-b66001f358ab/overview

Verdict:

Malicious

Labled as:

Ser.Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2abc0d44-470c-4bb5-96d3-c5cf62231b6a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458/

Threat name:

Win32.Trojan.ModiLoader

Status:

Malicious

First seen:

2023-09-12 06:53:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vq7iwqvfkbcr2yhchpbsklfh5abd44vtr6x5gos6onl5cgzberma._file

Verdict:

malicious

DBatLoader

56a3dc5c90ade897e349ba0fd0433770dcdda32b5bd2a1c6608b2af2f9b34c05

DBatLoader

5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b

DBatLoader

63946c04c77ccb8f6f48057f0cd4495f7751192b0016c99669a0b6aea330d538

DBatLoader

7231c553f8e0564923177725ac2c747e54c9c35c951f44abead4859f8083d692

DBatLoader

8fa3e79856319c3ac7ff04639dcdbaec1ec7ce8c92e4a7aca8637751c84a247b

DBatLoader

d3f1d0c0e37e33ad600d209bd43d61a3e94b6bd2a5d87b63c53184d070ee1680

DBatLoader

ec2a93fc951dac56dd988691db138c94ea8cbd477127bf95c2a9483f602d6b1e

DBatLoader

+ 8 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader trojan

Link:

https://tria.ge/reports/230912-lkdk8sbd6x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

cba4816de6e72d867e32efff1a2aec17fb05f32f522321696510e9ea7bfbf807

MD5 hash:

f63cb8a6dacfbd4f51c03ace6e0909fa

SHA1 hash:

d908d6f2785e4f8a3077a9a62b92fd54a4ebf46e

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/8c8f6025-2aa3-4ff7-a1f6-31e7ea7bae81/

Parent samples :

ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458
a55705a5d4e2cf1e3d98b3081a2523c83c02b034f1b3dedcadc7731711863eb4
3f91df1694752e2393e88e98c63348a310db58b7665d6e9d2ec7b2e84344aeda
131a53178cbae4b360182b1b2913374dad6fb40423c1ce528874a720c053ec7d
95c4b78aa2574cc094f0ab1ca7fac7b2adef8123aab82680c1a88df43f5a282e
7d42baf12969f24e3f68e53b146b4f049c1f772396c2e68c1a18bf75e26992ad

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/8c8f6025-2aa3-4ff7-a1f6-31e7ea7bae81/

SH256 hash:

ac3e8b42a550451d60e23bc3252ca7e8023e72b38fafd33a5e7357d11b212458

MD5 hash:

53fc85222ee60d242321ebe675a09b51

SHA1 hash:

3eef49c335472e5a2396073063165a4a0cebb1ec

Link:

https://www.unpac.me/results/8c8f6025-2aa3-4ff7-a1f6-31e7ea7bae81/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ac3e8b42a550/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/448125/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample