MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
SHA3-384 hash: 332eeb3d98bbd979af238f0654363768017dc1f43f5ec6acdb8c7d810547017b03b1980584fa939ac866849140bfe1d4
SHA1 hash: 57b68abda0b9ecce8281cf109c3f631aa0799f6b
MD5 hash: 416cabd8d6419b8509ed3311426277a6
humanhash: maine-cat-september-comet
File name:Summon_From_SARS.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'877'504 bytes
First seen:2023-11-26 08:33:49 UTC
Last seen:2023-11-26 10:30:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5346a12dcb49c1d1cdae222f054ffa7b (6 x DBatLoader, 1 x RemcosRAT)
ssdeep 49152:bee0SeGwcSGQfOvlzgzRlyYFT9xZdmPSw:blMGNQfywXFJQ
Threatray 3'609 similar samples on MalwareBazaar
TLSH T1A995E062DA620033E013A7BE592AA3615C397D972F10B6D5A9F43C584E7AFC43E1B173
TrID 82.3% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13097/50/3)
3.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 6ae096a9a9b28a8a (12 x DBatLoader, 2 x Formbook, 2 x RemcosRAT)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Summon_From_SARS.exe
Verdict:
Malicious activity
Analysis date:
2023-11-26 08:35:54 UTC
Tags:
dbatloader formbook xloader
Link:
https://app.any.run/tasks/fe132960-afbc-47c9-9f0d-54c5d0f8a565

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460239/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader46.33971.23859.12965.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control hook keylogger lolbin overlay packed
Link:
https://www.filescan.io/uploads/656302fb2efa450749a61a2a/reports/811e65f2-cdea-4797-8471-23bba35b3c5a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/654a52b2-7de7-455d-bc4b-c4d69075493d
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347892
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347892 Sample: Summon_From_SARS.exe Startdate: 26/11/2023 Architecture: WINDOWS Score: 100 71 www.wangbaomen23.xyz 2->71 73 www.vevo-verify.com 2->73 75 15 other IPs or domains 2->75 85 Multi AV Scanner detection for domain / URL 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 93 5 other signatures 2->93 12 Summon_From_SARS.exe 1 7 2->12         started        16 Lxqoxxyk.PIF 2->16         started        18 Lxqoxxyk.PIF 2->18         started        signatures3 91 Performs DNS queries to domains with low reputation 71->91 process4 file5 65 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->65 dropped 67 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->67 dropped 69 C:\Users\Public\Libraries\Lxqoxxyk.PIF, PE32 12->69 dropped 115 Early bird code injection technique detected 12->115 117 Drops PE files with a suspicious file extension 12->117 119 Allocates memory in foreign processes 12->119 121 Queues an APC in another process (thread injection) 12->121 20 cmd.exe 1 12->20         started        23 colorcpl.exe 12->23         started        123 Multi AV Scanner detection for dropped file 16->123 125 Machine Learning detection for dropped file 16->125 127 Allocates many large memory junks 16->127 25 SndVol.exe 16->25         started        27 colorcpl.exe 18->27         started        signatures6 process7 signatures8 95 Uses ping.exe to sleep 20->95 97 Drops executables to the windows directory (C:\Windows) and starts them 20->97 99 Uses ping.exe to check the status of other devices and networks 20->99 29 easinvoker.exe 20->29         started        31 PING.EXE 1 20->31         started        34 xcopy.exe 2 20->34         started        39 8 other processes 20->39 101 Maps a DLL or memory area into another process 23->101 37 WqPeFAuhVypcOop.exe 23->37 injected process9 dnsIp10 41 cmd.exe 1 29->41         started        83 127.0.0.1 unknown unknown 31->83 61 C:\Windows \System32\easinvoker.exe, PE32+ 34->61 dropped 44 xwizard.exe 37->44         started        63 C:\Windows \System32\netutils.dll, PE32+ 39->63 dropped file11 process12 signatures13 105 Adds a directory exclusion to Windows Defender 41->105 46 cmd.exe 1 41->46         started        49 conhost.exe 41->49         started        107 Tries to steal Mail credentials (via file / registry access) 44->107 109 Tries to harvest and steal browser information (history, passwords, etc) 44->109 111 Writes to foreign memory regions 44->111 113 3 other signatures 44->113 51 WqPeFAuhVypcOop.exe 44->51 injected 54 firefox.exe 44->54         started        process14 dnsIp15 129 Adds a directory exclusion to Windows Defender 46->129 56 powershell.exe 27 46->56         started        77 www.aquatic-organisms.info 23.82.12.36, 49727, 49728, 49729 LEASEWEB-USA-WDCUS United States 51->77 79 inovaebook.online 162.240.81.18, 49751, 49752, 80 UNIFIEDLAYER-AS-1US United States 51->79 81 7 other IPs or domains 51->81 signatures16 process17 signatures18 103 DLL side loading technique detected 56->103 59 conhost.exe 56->59         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 01:09:24 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2tigxq5rspfxkojf2phdvusyz3xkmp57kxobo6nkpk6g3vsxdtq._file
Verdict:
malicious
Similar samples:
06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
DBatLoader
151fb5746b08b95408b92e08f4bbeac8c4a1a3fc3ad6f43d237357f10476b33f
DBatLoader
4053220e58d30e514ab543a64e3854e7c411bfa084c000172cdfe6d3e8f65875
DBatLoader
6988ca1c014e55ad0ff7c394a9be532bf01fe531d68dfaba70ea106f9db787cb
DBatLoader
959fc8883e6b1d4ab77f9738792435e2dae1969530f36d2672db6cb397778687
DBatLoader
9c3860c6744d8b2718e1109e327795014997a81b0e21706a96242d0f8d52f55b
DBatLoader
a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f
DBatLoader
b747df969c4c80638e92b68759a8ced53c3d14bf705ad0fece792a566c9f3de9
DBatLoader
bcb4b428f2487d1dfc2d5f36fdd7f334e7915a5fad15f46835f6a8420002c327
DBatLoader
d0294bc11b1c8e0655189aba2ade4ffb54da6f36e2afc2ef2e0045a5a17203bf
DBatLoader
+ 3'599 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/231126-kgetfsfh29/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
6ec7781e472a6827c1406a53ed4699407659bd57c33dd4ab51cabfe8ece6f23f
MD5 hash:
4e16693755f49730d0a57eda2f79151b
SHA1 hash:
fbc7d8b01dc2c7d38c4d4d888217d2b59cf9220f
Detections:
win_dbatloader_g1
Create hunting rule
MALWARE_Win_ModiLoader
Create hunting rule
Link:
https://www.unpac.me/results/fcdc2d3d-fd06-46ac-a0f0-742dd280554f/
Parent samples :
06df9938eb1faaf4c5862a64273998b15201a83e5a46842cd0067a50eb964f4b
3c4cea2018a1d222aef402eff14de46b325024c6d775611817a9723d385f62ed
d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041
6f3940be662f3aee053506bf0e2f4d2aeee6b6d83589fbb5ac09ee1a73aa28a0
abec20fbb427ace85e7ba8b8bc265fd00b8e2499b0667ba621ed1e8a98cc7c1f
a1909ad50f89c221cc9709af3802fdf53a46be8d65f644d5e3968171e8666d69
66c7d769249d9da750ff736b447f0573c7cd5432a680e3a72d09bc1e238e83d1
6d2cdd0db9fefca23ee97cb400ec39012511511846114b3fcaaa633183830e83
8f3abc8783e372932f05def9c6d3270b5d72982115551806a5dac2d8aacc2458
c9ab27133f4ebc51a0fbae315e4e906ccc2579b9fe8d0294b4c5a7ed3de4b2ef
1064606237c6838a948c3ab85b2c95df70c8f85e87958b7e3f9bff9d79e2a645
2335a09e51dc8dd9eadcc23afa908605a0678aa0b0fd46f180e6dd628745a0f2
aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7
0fc367790748591bca8d2d01ba1c189754183cacb4dd76a567e05f0ab45590ee
ae5345f8b351ea82e6d74797baf379bc605c69e079cc5628ab486bf8d4b76b18
2159cbace070eda555164924c4bf646924d95a7dcbc3cf7ab44d2c918d0abe0b
ea5cca67b84c377c1c50e3e978fa2bcf6d178e8ce9cb23971c3304359b23e435
3c049c22293a2ca0d2529b8bf1f8956ca99cf0c428c12eb625b4e8d614e056c0
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa
f52a87f82d672530fb56cb062565ecc0881bd59c71e333895b38c65a9ded043d
7056d549ba61408c2967bd1b277aad3134ab22afda1ef861c238f2c5598c3420
0fda16a373440fc97605138e9d55cc140f75d85fcd3d420ea8df9b87172d51e6
4d227c0a92030e8410260bf84dd992d346d2d4002e7af69e792d3ef84e60f317
c7e18524730d00ad96155cb54beca97cc658f8bd94f736ef7671eadacd3ebee6
1117ea5185a8c16dbc9af96cbb580f5ac55a5f4bc0963e149c83a6c9c35dba7a
3e79d6c84d60f1c6b371cc8f98312a28da7698e4ab225848268356d86c733670
e29e825bc811e65ef2c4281302a05e211d9db7493cbd6f49e3dedef35f9de7af
7dca9d872ff0b85e7914cd56ad409f3ba86f6171225a3627b736768872fb0eff
83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8
e94c8165947e2adda5ffead77a571b43deaa0300f018ea5ba46a7e2567f79e31
6a43bfc4748749a2c40581a802d7be1a8989ef839dbac92467d07e08f1f50796
cd0dd222c7ba110e49ecd0aece6fa2915b5a126fed2fcdae12e114106688bee0
900bac7f4138efd174067bc8738e8357c97e50abe23af40b0d5825db8b55ce29
6d2fc83551518ed142a7b984c38f47b34fe1a2399914b323fa7ad23158a2e0a3
f87b464c12544a35f9a88a5a4d8bd43ec5e792987cf6410e0f10327f407d1af2
7385e28efaddf884f97be5ac178a05d5c6e523a616ba20980121005428fe3765
1cc7f88b0947e4e27379b47468dd04595e611c550a0ca50954774e32dffbf9ed
5dda711406d96a6019c837f6bda3680943b769e4f0bb3183e8bbc1a54f254c5a
f06d98ed7273a15325adf09f185f1a43ee5c9209d103b203b35632655951a553
b27a99adeed5a49bd7a19f6e894da217dd005d9b709c85e5fa49f55f3932b853
facc6e911089bda494f8266b25d3a9b932494aac786f6fb3efb132f00db3aa29
2673cb78d77db954842c1311a9ecbef666bbf15b0b0058585c4d00f38cf3f225
1de268066bddc4603c3020da1e8868ba238adebe617a34a7ad076a536a6996b4
3efb1782a471373ee59ab78e7ee54c39427f6aa3ab3f40d71b509d5a439166d8
2066d3c19b80a23bb0852d98ba11a5539a5c0ecb148c6a8aa81d028646e92b0f
216f15601add34daf25b908b6e68d4213396e7f7e47c314355527d9eec673963
e14cbebf916fa0be576202a8c7b931a485fb0dafec28402292af1de5991a130b
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/fcdc2d3d-fd06-46ac-a0f0-742dd280554f/
SH256 hash:
aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7
MD5 hash:
416cabd8d6419b8509ed3311426277a6
SHA1 hash:
57b68abda0b9ecce8281cf109c3f631aa0799f6b
Link:
https://www.unpac.me/results/fcdc2d3d-fd06-46ac-a0f0-742dd280554f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aea6835e1d8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe aea6835e1d8c9e5ba9c92e9e71d692c6777531fdfaaee0bbcd53d5e36eb2b8e7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460239/

Comments