MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b
SHA3-384 hash: ecb0ef8bbf8a12e92b56ee69996a7f680c75daaa079a7d8d83b5a1463900b8ac39a14ab4afd5eb7f1440bdda061d21d8
SHA1 hash: e0e0902afefa2e7b8092b2db24b15cff33c911a2
MD5 hash: fb90f352e7cb2dacfcc74446ed64868a
humanhash: uranus-green-twelve-zulu
File name:SecuriteInfo.com.Scr.MalPbsgen1.19801.22949
Download: download sample
Signature DBatLoader
Create hunting rule
File size:859'648 bytes
First seen:2022-04-19 09:53:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e0804e63f849253255cc5a90c0147c49 (6 x DBatLoader, 1 x Formbook, 1 x ModiLoader)
ssdeep 12288:bZ8wag4BvCXr8j4CoOjPDQdT4ragoUG15U87uxHkHijCNsFKzaRHr:b2FN2ojFoOjcdTaTGTR8HExz
Threatray 7'412 similar samples on MalwareBazaar
TLSH T11105AF22B2908433E1731F748D5B93B85926BF102E2979467AF5ED1C6F7D2E03939293
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon c8c982848998ac94 (10 x Formbook, 6 x DBatLoader, 4 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264582/
Detection(s):
SecuriteInfo.com.Scr.MalPbsgen1.19801.22949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe greyware keylogger
Link:
https://www.filescan.io/uploads/625e86bcffe27d51190a3c79/reports/77f7b55d-53c0-4e35-a315-2c2dd9b79d69/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abb3e229-c2d7-43f2-bf85-7617a31c8a02
Result
Threat name:
Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978751
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Writes to foreign memory regions
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611236 Sample: SecuriteInfo.com.Scr.MalPbs... Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 5 other signatures 2->59 8 SecuriteInfo.com.Scr.MalPbsgen1.19801.exe 1 23 2->8         started        13 Ghtxcil.exe 16 2->13         started        15 Ghtxcil.exe 16 2->15         started        process3 dnsIp4 39 i-am3p-cor007.api.p001.1drv.com 13.104.158.183, 443, 49735, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->39 41 qudfoq.am.files.1drv.com 8->41 47 4 other IPs or domains 8->47 33 C:\Users\Public\Librariesbehaviorgraphhtxcil.exe, PE32 8->33 dropped 35 C:\Users\...behaviorgraphhtxcil.exe:Zone.Identifier, ASCII 8->35 dropped 69 Writes to foreign memory regions 8->69 71 Creates a thread in another existing process (thread injection) 8->71 73 Injects a PE file into a foreign processes 8->73 17 logagent.exe 2 8->17         started        21 cmd.exe 1 8->21         started        43 i-ams03p-cor001.api.p001.1drv.com 20.135.25.0, 443, 49749, 49751 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->43 45 qudfoq.am.files.1drv.com 13->45 49 4 other IPs or domains 13->49 75 Multi AV Scanner detection for dropped file 13->75 23 DpiScaling.exe 13->23         started        51 5 other IPs or domains 15->51 25 DpiScaling.exe 15->25         started        file5 signatures6 process7 dnsIp8 37 79.134.225.44, 6809 FINK-TELECOM-SERVICESCH Switzerland 17->37 61 Contains functionality to steal Chrome passwords or cookies 17->61 63 Contains functionality to inject code into remote processes 17->63 65 Contains functionality to steal Firefox passwords or cookies 17->65 27 cmd.exe 1 21->27         started        29 conhost.exe 21->29         started        67 Delayed program exit found 23->67 signatures9 process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 09:54:08 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v5ezcrgh6yipvywbqscp2oinxsjqptyfnzuycoq7kp4uiwj5ievq._file
Verdict:
malicious
Similar samples:
3ba7ad2a718413ab6d36dd156bbdd5ac1bcca860f039b14c4cb4382aee58bc88
DBatLoader
5b7e1bfddf5e3dc58ccf18cb463d53c3551258708cd903df9b13b79594de5ad1
DBatLoader
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
DBatLoader
6a52acf5de13a2c4d6fa927727fb868db6d97220c5eb837ca307d19c0b7cf128
DBatLoader
713114d1dcb9d12994f1cfcb7cc765283cff3f2242ee57cdf15e849e15213a0b
DBatLoader
83d7062a6e44aed6a161da23937cc66f97982e045d933dc4dd2049df4496d34b
DBatLoader
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
DBatLoader
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
DBatLoader
bd09b7f6ad0ca7e7c74eee9ecab5fd3de92f24529c708370710161847d0861be
DBatLoader
+ 7'402 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:loostime persistence rat trojan
Link:
https://tria.ge/reports/220419-lw7nfsbdfq/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
79.134.225.44:6809
Unpacked files
SH256 hash:
5c7abef80eec8823727033ff393ec0c554e024174078558c2816eac5aa5f05ba
MD5 hash:
75bb3ad3fd6a800d80f6d0df1eacc4cd
SHA1 hash:
97401d629c663e86c91d254047857d2d56245c69
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/aec6d3bd-734f-4d31-b3a7-fb894e0c03f4/
Parent samples :
25ea2bf5ae084d751e654229343f8390cf11c0d1930fda8009b3935a96317de2
af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b
5c7e72a95bfda155875ac2e0b0a56588bb5ec05ca71d2e94c9f0ccfba523c373
7834cc8a3f3b2dd0d3ed6a22c134b347054a477e116b4a46751f21a463aee356
SH256 hash:
af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b
MD5 hash:
fb90f352e7cb2dacfcc74446ed64868a
SHA1 hash:
e0e0902afefa2e7b8092b2db24b15cff33c911a2
Link:
https://www.unpac.me/results/aec6d3bd-734f-4d31-b3a7-fb894e0c03f4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af499144c7f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af499144c7f610fae2c18484fd390dbc9307cf056e69813a1f53f944593d412b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264582/

Comments