MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc
SHA3-384 hash: ae496b46667fdcce6eb9de08f6a3a321641fc0e153e3279348f71eb00d3557ef123bd50c58f26c838a2e06a09508504c
SHA1 hash: decc403f46c176ebdb63b5ff85cba4417e6ac656
MD5 hash: b8d852727f765151a9806f6fe026ae18
humanhash: oranges-maryland-missouri-lima
File name:Order_#09267992827627.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:835'072 bytes
First seen:2022-04-21 07:54:16 UTC
Last seen:2022-04-21 08:06:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eb9a673f51c76bc419bd48122f0267a (2 x RemcosRAT, 1 x NetWire, 1 x DBatLoader)
ssdeep 12288:5ak03Y2ci01sS32v0I24Vl5IDQfyjd6kR/MVw8gdhKzaRHrC:45IFz32vfLVl6DQ6jd/MnBz
Threatray 7'545 similar samples on MalwareBazaar
TLSH T124057D26B2818832C0331E785D5F96745826FE10EE28B9862EF5ED487F357E33919397
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 7cf4b6ae8cd0e0f4 (2 x RemcosRAT, 1 x ModiLoader, 1 x NetWire)
Reporter cocaman
Tags:DBatLoader exe


Avatar
cocaman
Malicious email (T1566.001)
From: ""KISKER BIOTECH GMBH & CO. KG" <contact@kisker-biotech.com>" (likely spoofed)
Received: "from kisker-biotech.com (unknown [185.222.58.58]) "
Date: "20 Apr 2022 15:57:54 +0200"
Subject: "Order_#09267992827627"
Attachment: "Order_#09267992827627.exe"

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265344/
Detection(s):
Win.Dropper.Formbook-9917440-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook
Link:
https://www.filescan.io/uploads/62610dd8eab80a7a6c5209d7/reports/717c1734-42a1-4b91-8b39-ca50a3ded208/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4e6d2b5-f9ee-4531-ba50-51d061d2a368
Result
Threat name:
AveMaria DBatLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/980466
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 612953 Sample: Order_#09267992827627.exe Startdate: 21/04/2022 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Found malware configuration 2->88 90 9 other signatures 2->90 8 Order_#09267992827627.exe 1 23 2->8         started        13 Zibveea.exe 13 2->13         started        15 Zibveea.exe 2->15         started        17 explorer.exe 2->17         started        process3 dnsIp4 74 enapa.org.br 142.44.216.172, 49740, 49741, 49748 OVHFR Canada 8->74 70 C:\Users\Public\Libraries\Zibveea.exe, PE32 8->70 dropped 72 C:\Users\...\Zibveea.exe:Zone.Identifier, ASCII 8->72 dropped 108 Writes to foreign memory regions 8->108 110 Allocates memory in foreign processes 8->110 112 Creates a thread in another existing process (thread injection) 8->112 19 DpiScaling.exe 4 4 8->19         started        23 cmd.exe 1 8->23         started        114 Multi AV Scanner detection for dropped file 13->114 116 Injects a PE file into a foreign processes 13->116 25 logagent.exe 13->25         started        76 192.168.2.1 unknown unknown 15->76 28 DpiScaling.exe 15->28         started        file5 signatures6 process7 dnsIp8 68 C:\ProgramData\windowsupdater.exe, PE32 19->68 dropped 92 Contains functionality to inject threads in other processes 19->92 94 Contains functionality to steal Chrome passwords or cookies 19->94 96 Contains functionality to steal e-mail passwords 19->96 106 2 other signatures 19->106 30 cmd.exe 1 19->30         started        32 windowsupdater.exe 1 1 19->32         started        35 powershell.exe 9 19->35         started        37 cmd.exe 1 23->37         started        39 conhost.exe 23->39         started        78 5.2.68.67, 11940, 49762, 49763 LITESERVERNL Netherlands 25->78 98 Writes to foreign memory regions 25->98 100 Allocates memory in foreign processes 25->100 102 Adds a directory exclusion to Windows Defender 25->102 41 powershell.exe 25->41         started        43 cmd.exe 25->43         started        104 Creates a thread in another existing process (thread injection) 28->104 45 powershell.exe 28->45         started        47 cmd.exe 28->47         started        file9 signatures10 process11 signatures12 49 reg.exe 1 1 30->49         started        52 conhost.exe 30->52         started        80 Injects code into the Windows Explorer (explorer.exe) 32->80 54 explorer.exe 32->54         started        56 conhost.exe 35->56         started        58 conhost.exe 37->58         started        60 conhost.exe 41->60         started        62 conhost.exe 43->62         started        64 conhost.exe 45->64         started        66 conhost.exe 47->66         started        process13 signatures14 82 Creates an undocumented autostart registry key 49->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 15:06:15 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wlkfzhqoqcvcntwhz7ovjif42y2n4yrt22cfan2erc4j5u63i7oa._file
Verdict:
malicious
Similar samples:
25f95bec948dd2f304c9a68b61e057d3f7ac656ec3b9849c87c0751949e858e8
DBatLoader
5b7e1bfddf5e3dc58ccf18cb463d53c3551258708cd903df9b13b79594de5ad1
DBatLoader
6299e5f3946878e16130c6454bcd90bf319b3dcf8bd13d9a56bb867ba82eb655
DBatLoader
83d7062a6e44aed6a161da23937cc66f97982e045d933dc4dd2049df4496d34b
DBatLoader
9c9243f11dd44d1f1ac97716014be57244dca97a514e73d5f13da03392cba358
DBatLoader
9ea23f24620fd64243f22df105d30b97810377238aed2fd83aa31665198175db
DBatLoader
ba1b1f218d5236e121b68da9183c90e8e6640f91c77a5e8d0ea5eead270f2199
DBatLoader
+ 7'535 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:warzonerat infostealer persistence rat trojan
Link:
https://tria.ge/reports/220421-jr41nadgb9/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
WarzoneRat, AveMaria
Malware Config
C2 Extraction:
5.2.68.67:11940
Unpacked files
SH256 hash:
cb9250eb1969ef939afaa4241bf68db390d6b4b122d6266d88a15a1a1d7270d1
MD5 hash:
cd6093410773b9dde4a69d6411ec5bb6
SHA1 hash:
5f58401a5441a36f6d8d3e14438bbeba96567367
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/240243b1-c497-4c4b-a8b7-bfd30f5357bf/
Parent samples :
cf80023d35bef226afa7cae9b91ae7128a9c52eb70a7428e5a019ef2ac0ceba0
b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc
SH256 hash:
b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc
MD5 hash:
b8d852727f765151a9806f6fe026ae18
SHA1 hash:
decc403f46c176ebdb63b5ff85cba4417e6ac656
Link:
https://www.unpac.me/results/240243b1-c497-4c4b-a8b7-bfd30f5357bf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2d45c9e0e80/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe b2d45c9e0e80aa26cec7cfdd54a0bcd634de6233d68450374488b89ed3db47dc

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
DBatLoader
Cape
Cape
https://www.capesandbox.com/analysis/265344/

Comments