MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650
SHA3-384 hash:	68d2bdd26367a4b681ebdec4d179a89217600109502ec9615420b53a9f23132351806eec1923013342f5b87a5ef6e63c
SHA1 hash:	7eec2005dd50ba68ec84c6b6b7e350e18eefc51c
MD5 hash:	ee67f8e5c473d7b541be90a0ee046f8d
humanhash:	utah-four-illinois-batman
File name:	PO9823.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'262'592 bytes
First seen:	2023-10-22 17:49:54 UTC
Last seen:	2023-10-23 07:48:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4df0e13d93cb581937cac481e3c87c38 (7 x DBatLoader, 1 x RemcosRAT)
ssdeep	24576:qeA4Puy3YeOyFbcA3l0xdapY2bwplPYlAQZlo/:q5cZ3BmdaG26ME/
TLSH	T16845AD22BED1AC33C5F3493C9F4BEFB4A91E3DF2192419A87ED5295C5A703503D9818A
TrID	86.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61) 4.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.3% (.SCR) Windows screen saver (13097/50/3) 1.4% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	74f4d4d4cce4e8e0 (27 x AgentTesla, 19 x Formbook, 17 x DBatLoader)
Reporter	abuse_ch
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

PO9823.exe

Verdict:

Malicious activity

Analysis date:

2023-10-22 17:54:20 UTC

Tags:

dbatloader stealer agenttesla

Link:

https://app.any.run/tasks/b246c9a3-57a5-4612-8fd1-2c6f9cbd1444

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Siggen21.46311.26128.20262.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Query of malicious DNS domain

Sending a TCP request to an infection source

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control keylogger lolbin packed replace

Link:

https://www.filescan.io/uploads/653560cf5f371a3fc85ed026/reports/cfb24605-09fd-4800-baa9-94696da0292a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dbatloader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4e9d5731-3337-472d-9904-11ba06007e16

Result

Threat name:

AgentTesla, DBatLoader, RedLine, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1330118

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

DLL side loading technique detected

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with a suspicious file extension

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected DBatLoader

Yara detected RedLine Stealer

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2023-10-19 12:10:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v4vfivpu3zytn2iostt35zn2hggqd4e2xhib54zlw4hfmabqwzia._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:agenttesla family:modiloader family:zgrat keylogger persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/231022-welprsdc96/

Behaviour

Enumerates system info in registry

Runs ping.exe

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

ModiLoader Second Stage

AgentTesla

Detect ZGRat V1

ModiLoader, DBatLoader

ZGRat

Unpacked files

SH256 hash:

b84daaf8a74ca536da7ec9c2a72d418ebe2db4462b99d7ee69fbc4713ffc8930

MD5 hash:

e943ba5fb84c37030c0daf907c79825c

SHA1 hash:

d393d513939c6a4b1e5fb2598ef14ed424fcb9e2

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/5656c5eb-746f-4830-b954-867a11d5ee6c/

Parent samples :

a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
f95d84bd16012696182588589d691c5eaa131d28b7dc53cad85d497d61dab85f
6b390b01eb98d6376430626d51e2745f1a4f57cf89b9b6cfb81f968d44af09c8
2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
e329d4fdf3557b00cfd9044dbd12048077fcb6f8cdbaf1553308e292bf6a3707
9fd26cbae8d741263a304f7532107d61d6e78b91a1e551dc2822131dc70eddc0
f76b8555effde0257cd4c22e62e7aeb3c4f055bac15cc24c46de1292fe7b034f
035f5ee40a4986872d3480fa5d5e96e4dd56c0d1b93cd77a82cadce3283243e7
c9f192e7d1592bfc56e3209da73bbf5fb8a5fbcfcc2d492dbdddfc60c77a1d20
af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650
4397154fc1574bb682c055e6c5cefd36155aa07928edce3593ef38cb975b1f0f
267f54dc36591c1746dba949c776e015c9c89be7a11f4c3ebf7ab0fb4510e0e3
129a9a2dbbd1c3f8c82b66d020ec59b82878ab94a30647902d80dbeb92f74878
4b45c80c13d9143811cacdda64ac2e4cab04fe6262e16cb813836fd244ff5b9c
13a14e45ca00f015b20954bfd7eed1a9eaf0a763da1d155e673e53d31821abb1
582cf4bb7c3f703cb6bbacd2bfa8a1d2f098ca11e0d0fddb8c1d8e812ddc2d69
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
e4fbd0f46d093579c855bf711e874a5ba4e6f3ea047ae5964a08bfb1e762d4f6
204d5541a347bee64224d392403286271bc2351c50101e89b19e896f1756b389
48b290c2bfc5741616cef2f1904acebfc3366cfc99388f075aeb26100881ea98
f45307b5999dab601bb6371d4617cb7378d352e234f1df11b5ba41d779a90564
7a79cdd88f52bd9acdbe1b312bf1583e09827d58b293f53a3d261a654dcfb1df
04f083fb8b7b8ff01c98b972859d03db4de185f81877e180317792e2361043cf
85ca618bef7b97885f9f8c83a5abcb5afcafe9b6ffc3db6893a0dcdd61f6a891
53ac3a6c6aa59e943cff071d3100d55d826268f96e2366ddad3b32fe8c9b98e2
771af3e897f1d32625cdc3cf41d76dcfd21ae27994b721ae6c7cb82bcb284789
b1ca8bbed94ba2690e722c88c1af75082b8a4abf9d7f70206f986746aaa0eae2
39b4aba5e8641981ee7c36537c71403e038895c5699f172498fb99f51f994b85
6b1c7f3b04daf1250db40b85131f39811315781ca521135b7648f453bfbe55cf
22e384543598c8f6d4b45b6d19c09f23e08429a89bb3fe580b368c8aecb9663b
f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff
7e0c562b58d5c2183c98af42b5ff6b6cee6d7d82ad89e773bf0ba9c7f67c04b4
14323b6d2d712b7cd421ca1f6c0d25343fbb7cb94144e338d7a042f0f421e3b7
96df4af7b51b4a03a7014169c0862ed5820d4326d217f5ef4e099c1667a8045d
c2f8b88850fcbc4df88e6708b12a265ed133ba04702f89ae9cf1da504c11bc6e
452fa0451a2bb4c555368aec8f070a3db895414d43e089af54431ebf89d50841
d9c05e4806384074097aabfbdd8965b3767d673f9032b06bed207fda7feccbd7
3ba6ce638dcb1c82a2d3096edcc46a1d5086b9233c4e8be471ba748af9d9b41a
b2a65a2aa1c5bed21112712762ddb73f254219e8037e57c984c1bcd65ad576a7
448a8114208fbb7d2e83c81d59bc262d6857937ec0bceeebda75ad978265b5dc
9dbe21429d77afca07940928b39d0e7c9d994ea9d10a651ccd5189d4522be1cf
cf9cebd5de732b485456f6de49e70b488fb4658c48af572b16b6b2943dfadd50
214d29953c8211d48c06ce4e16239920b4ed1e148428a9165dcfe184fd6ab619
2a347e81537122aca6656bd41eab07d8abd57d85684e71c877650c96963f9123
8282976c399101d48a2f46771f768d37f4de4124d00f4ba8f01d63d6ef935c1a
c016c2649684722dc1e308e080f1739f3314927b3c022f63ad7da9caacd79a63
ea854ab77631dbf87f8a69de2f865d33751dcd3fe5b0284c38e12de2f471a9a4
1868a740c4a9ad3f6df9ee149c74de5744e3488faa33bf3c9811882fbb5d76af
c6e6d9dd75af4dd8ec008e9dc75688b0325d31c822eef311783feaffff7c0dbb

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/5656c5eb-746f-4830-b954-867a11d5ee6c/

SH256 hash:

af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650

MD5 hash:

ee67f8e5c473d7b541be90a0ee046f8d

SHA1 hash:

7eec2005dd50ba68ec84c6b6b7e350e18eefc51c

Link:

https://www.unpac.me/results/5656c5eb-746f-4830-b954-867a11d5ee6c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/af2a5455f4de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample