MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17
SHA3-384 hash: cd5d5b31a85c29e10f4995b398f649f76996f8feccc9e0d0d149575139b9b830ee7f24bf3ebd14a075ca73234057f747
SHA1 hash: dd37730147b8bcd278bda90900b1dffabf24f0ce
MD5 hash: 12b9690836625a788d3bc12b41d13dcd
humanhash: snake-autumn-mobile-sweet
File name:Delivery_Details.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'879'040 bytes
First seen:2024-01-31 10:29:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f7fe181812d5942ca24024d00d9c41d (3 x RemcosRAT, 2 x DBatLoader)
ssdeep 49152:FIOAjnxf2hp4XLkrhKOekUvUeudcvHaF5P0R:FI92hp4XQrhhekUvfudFuR
TLSH T10995F2BAE2041476D4364136C70EF7EAA85C7D2A2F2861415AFE3CCC75B9787F42A426
TrID 30.5% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e0c4a2a6a4bcbcf8 (12 x RemcosRAT, 6 x DBatLoader, 4 x Formbook)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17.exe
Verdict:
Malicious activity
Analysis date:
2024-01-31 10:38:37 UTC
Tags:
dbatloader rat remcos remote keylogger
Link:
https://app.any.run/tasks/5562abb1-0489-4009-8ed6-06572bbc4342

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/473715/
Detection(s):
Win.Trojan.Sinowal-9756760-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint hook keylogger masquerade packed remcos
Link:
https://www.filescan.io/uploads/65ba21300eab2d16054bd1fc/reports/0ab7a549-af91-492d-88f2-ddaec88b7c70/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a53f889e-2ca2-46c0-9d20-71330d9f846c
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1383920
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Suspicious Program Location with Network Connections
Uses dynamic DNS services
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1383920 Sample: Delivery_Details.exe Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 45 mfreshbnrem.ddns.net 2->45 47 dual-spov-0006.spov-msedge.net 2->47 49 6 other IPs or domains 2->49 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 14 other signatures 2->67 9 Delivery_Details.exe 1 8 2->9         started        14 Uvdbwcdb.PIF 2->14         started        16 Uvdbwcdb.PIF 2->16         started        signatures3 65 Uses dynamic DNS services 45->65 process4 dnsIp5 55 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49705, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->55 37 C:\Users\Public\Libraries\truesight.sys, PE32+ 9->37 dropped 39 C:\Users\Public\Libraries\netutils.dll, PE32+ 9->39 dropped 41 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 9->41 dropped 43 2 other malicious files 9->43 dropped 77 Early bird code injection technique detected 9->77 79 Drops PE files with a suspicious file extension 9->79 81 Allocates memory in foreign processes 9->81 87 3 other signatures 9->87 18 SndVol.exe 3 16 9->18         started        23 cmd.exe 1 9->23         started        83 Multi AV Scanner detection for dropped file 14->83 85 Machine Learning detection for dropped file 14->85 25 SndVol.exe 14->25         started        57 13.107.139.11, 443, 49721, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->57 27 colorcpl.exe 16->27         started        file6 signatures7 process8 dnsIp9 51 mfreshbnrem.ddns.net 192.177.111.126, 2404, 49708 EGIHOSTINGUS United States 18->51 53 geoplugin.net 178.237.33.50, 49709, 80 ATOM86-ASATOM86NL Netherlands 18->53 35 C:\ProgramData\FTYGFTGF\logs.dat, data 18->35 dropped 69 Contains functionality to bypass UAC (CMSTPLUA) 18->69 71 Contains functionalty to change the wallpaper 18->71 73 Contains functionality to steal Chrome passwords or cookies 18->73 75 4 other signatures 18->75 29 cmd.exe 2 23->29         started        31 conhost.exe 23->31         started        file10 signatures11 process12 process13 33 conhost.exe 29->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2024-01-30 00:02:43 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4pqjheyrnc22cmxpjxcxbw56trt44ecitpy5np3gh2ez5i4lmlq._file
Verdict:
malicious
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/240131-mjtfqsbhhp/
Behaviour
Enumerates system info in registry
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Launches sc.exe
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Creates new service(s)
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
mfreshbnrem.ddns.net:2404
wwmfreshbnrem.ddns.net:2404
2wwmfreshbnrem.ddns.net:2404
32wwmfreshbnrem.ddns.net:2404
Unpacked files
SH256 hash:
b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17
MD5 hash:
12b9690836625a788d3bc12b41d13dcd
SHA1 hash:
dd37730147b8bcd278bda90900b1dffabf24f0ce
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/2bc4b234-e9af-4d1b-b5f2-0fb898852e8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe b71f049c988b45ad09977a6e2b86ddf4e33e708244df8eb5fb31f44cf51c5b17

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/473715/

Comments