MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Maldoc score: 4


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8
SHA3-384 hash: ccaac111ae5ee26bc66b08fb79ea1c3ced934acafffadcd7e2d57af68360ca18c7cc481437c1921503510be6c8399672
SHA1 hash: d6c26c5e0c4d10984595e0911a5ff5efe5a93053
MD5 hash: dcd1c5f88361c072b8b63728cde38ce2
humanhash: tennis-quebec-artist-cold
File name:GlobalCash_Executionstatement_002SSAG001104_20231107.xls
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'179'648 bytes
First seen:2023-11-08 12:29:23 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:9uBSw6/uZyE3bVww6/WZyl3bV4gNNaSFElJHLGzU:86/453bVr6/Ai3bVRN0SFEl4z
TLSH T1CE45D003A9408B87D41C83F46EE34EE91F19BF08EA916EDF1129BF1B3E706721D5A519
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:CVE-2017-11882 DBatLoader xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 52 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
494 bytesMBD0001AE85/CompObj
562 bytesMBD0001AE85/Ole
620409 bytesMBD0001AE85/CONTENTS
794 bytesMBD0001AE86/CompObj
862 bytesMBD0001AE86/Ole
912169 bytesMBD0001AE86/CONTENTS
1094 bytesMBD0001AE87/CompObj
1162 bytesMBD0001AE87/Ole
127284 bytesMBD0001AE87/CONTENTS
1394 bytesMBD0001AE88/CompObj
1462 bytesMBD0001AE88/Ole
1564830 bytesMBD0001AE88/CONTENTS
1693 bytesMBD0001AE89/CompObj
1764 bytesMBD0001AE89/Ole
18124841 bytesMBD0001AE89/CONTENTS
19114 bytesMBD0001AE8A/CompObj
20708 bytesMBD0001AE8A/DocumentSummaryInformation
2123248 bytesMBD0001AE8A/SummaryInformation
2297872 bytesMBD0001AE8A/Workbook
23418 bytesMBD0001AE8A/_VBA_PROJECT_CUR/PROJECT
2462 bytesMBD0001AE8A/_VBA_PROJECT_CUR/PROJECTwm
25977 bytesMBD0001AE8A/_VBA_PROJECT_CUR/VBA/Sheet1
26985 bytesMBD0001AE8A/_VBA_PROJECT_CUR/VBA/ThisWorkbook
272329 bytesMBD0001AE8A/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
28517 bytesMBD0001AE8A/_VBA_PROJECT_CUR/VBA/dir
2994 bytesMBD0001AE8B/CompObj
3062 bytesMBD0001AE8B/Ole
3164830 bytesMBD0001AE8B/CONTENTS
3293 bytesMBD0001AE8C/CompObj
3364 bytesMBD0001AE8C/Ole
34124841 bytesMBD0001AE8C/CONTENTS
35114 bytesMBD0001AE8D/CompObj
36708 bytesMBD0001AE8D/DocumentSummaryInformation
3723248 bytesMBD0001AE8D/SummaryInformation
3897808 bytesMBD0001AE8D/Workbook
390 bytesMBD0001AE8D/_VBA_PROJECT_CUR/VBA/Sheet1
400 bytesMBD0001AE8D/_VBA_PROJECT_CUR/VBA/ThisWorkbook
410 bytesMBD0001AE8D/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
421405 bytesMBD0001AE8E/OLe10NAtiVe
4320 bytesMBD0001AE8E/Ole
44475993 bytesWorkbook
45527 bytes_VBA_PROJECT_CUR/PROJECT
46104 bytes_VBA_PROJECT_CUR/PROJECTwm
47977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
48977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
49977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
50985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
512644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
52553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
352
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection(s):
SecuriteInfo.com.Other.Malware-gen.12790.22077.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.19728.9505.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.1282.16692.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.25106.3990.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file in the %AppData% directory
Сreating synchronization primitives
Searching for the window
Creating a window
Searching for synchronization primitives
Sending an HTTP GET request
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control embedequation exploit exploit greyware keylogger lolbin macros packed shellcode sload
Link:
https://www.filescan.io/uploads/654b7f60993fbf888b6a3959/reports/ad2abdc4-69f4-4c84-8804-32996061275c/overview
Verdict:
Malicious
Labled as:
CVE-2018-0802
Link:
https://www.hybrid-analysis.com/sample/b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8
Label:
Benign
Suspicious Score:
1.7/10
Score Malicious:
18%
Score Benign:
82%
Link:
https://www.malware.ai/gui/files/?id=0f90683d-36cc-4bbb-8704-e2c4374e7d1e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1339011
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates a thread in another existing process (thread injection)
Delayed program exit found
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339011 Sample: GlobalCash_Executionstateme... Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 14 other signatures 2->109 8 EQNEDT32.EXE 12 2->8         started        13 Rbundagv.PIF 2->13         started        15 EQNEDT32.EXE 2->15         started        17 2 other processes 2->17 process3 dnsIp4 79 185.241.208.231, 49164, 80 GBTCLOUDUS Moldova Republic of 8->79 55 C:\Users\user\AppData\Roaming\IGCC.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\smss[1].exe, PE32 8->57 dropped 121 Office equation editor establishes network connection 8->121 123 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->123 19 IGCC.exe 1 7 8->19         started        81 wyskdg.dm.files.1drv.com 13->81 83 web.fe.1drv.com 13->83 85 2 other IPs or domains 13->85 125 Multi AV Scanner detection for dropped file 13->125 127 Writes to foreign memory regions 13->127 129 Allocates memory in foreign processes 13->129 131 2 other signatures 13->131 24 colorcpl.exe 13->24         started        26 IGCC.exe 15->26         started        28 RdrCEF.exe 17->28         started        file5 signatures6 process7 dnsIp8 65 wyskdg.dm.files.1drv.com 19->65 67 web.fe.1drv.com 19->67 73 2 other IPs or domains 19->73 49 C:\Users\Public\Libraries\netutils.dll, PE32+ 19->49 dropped 51 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 19->51 dropped 53 C:\Users\Public\Libraries\Rbundagv.PIF, PE32 19->53 dropped 111 Multi AV Scanner detection for dropped file 19->111 113 Drops PE files with a suspicious file extension 19->113 115 Writes to foreign memory regions 19->115 30 colorcpl.exe 19->30         started        35 cmd.exe 1 19->35         started        69 wyskdg.dm.files.1drv.com 26->69 71 web.fe.1drv.com 26->71 75 2 other IPs or domains 26->75 117 Allocates memory in foreign processes 26->117 119 Injects a PE file into a foreign processes 26->119 37 SndVol.exe 26->37         started        file9 signatures10 process11 dnsIp12 87 20.252.43.59, 4403, 49169 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->87 63 C:\Users\user\remcos\isorac.dat, data 30->63 dropped 89 Contains functionality to steal Chrome passwords or cookies 30->89 91 Contains functionality to register a low level keyboard hook 30->91 93 Contains functionality to modify clipboard data 30->93 101 2 other signatures 30->101 95 Uses ping.exe to sleep 35->95 97 Drops executables to the windows directory (C:\Windows) and starts them 35->97 99 Uses ping.exe to check the status of other devices and networks 35->99 39 PING.EXE 35->39         started        42 xcopy.exe 35->42         started        45 xcopy.exe 35->45         started        47 8 other processes 35->47 file13 signatures14 process15 dnsIp16 77 127.0.0.1 unknown unknown 39->77 59 C:\Windows \System32\easinvoker.exe, PE32+ 42->59 dropped 61 C:\Windows \System32\netutils.dll, PE32+ 45->61 dropped file17
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 09:46:22 UTC
File Type:
Document
Extracted files:
111
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wf4s7t6ijqsfjml2k7bee5thxbmszzdgkgh2ba4vzuqkuax7734a._file
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/231108-ppg11abb3t/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Program crash
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
ModiLoader Second Stage
ModiLoader, DBatLoader
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1792fcfc84c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1
Create hunting rule
Author:ditekSHen
Description:detects OLE documents potentially exploiting CVE-2017-11882
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Excel file xls b1792fcfc84c2454b17a57c2427667b8592ce466518fa08395cd20aa02fffef8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments