MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d
SHA3-384 hash: a4730e2aa1160715f9b66c233ae608e78d295c3c36f511570d993bdc0a0a4155b63b4f3062267aa3847282121ffa166d
SHA1 hash: 5d2ef63dfb98001b2323e8187dd7d15686e9984e
MD5 hash: be15731ec7cdca6019f9e37d5979d9b8
humanhash: lithium-beer-white-oven
File name:be15731ec7cdca6019f9e37d5979d9b8.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:407'040 bytes
First seen:2024-12-06 09:09:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb01e27ed4be9aa6364d00583f04f149 (4 x DBatLoader, 1 x RecordBreaker)
ssdeep 6144:cLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXoZP:I+u9nx2GjMY3XKfd/H/9PcP
TLSH T1B7848D37FAD08433C1732A7D9C5B9B68AD29BE512D2824467BEC1E8C4F3D7927425293
TrID 95.2% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
2.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
0.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
0.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 293 x GCleaner, 137 x ArkeiStealer)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be15731ec7cdca6019f9e37d5979d9b8.exe
Verdict:
Suspicious activity
Analysis date:
2024-12-06 09:20:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3ce5f0e-1504-4dfd-bc48-7fc1da5bb482

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Packer.BorlandDelphi-1
Create hunting rule

Win.Ransomware.Lockscreen-9831110-0
Create hunting rule

Win.Trojan.Fullscreen-41
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6752bf6e19fba9940b4970fc
Tags:
lockscreen delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Enabling the 'hidden' option for analyzed file
Searching for synchronization primitives
Launching a process
Forced system process termination
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi explorer fingerprint keylogger lockscreen lolbin ransomware
Link:
https://www.filescan.io/uploads/6752bf6d65dd3844b8899008/reports/756ba72d-4f4e-4d69-a412-9d9bdbd9afd6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fb9d248-6d1c-4850-a54d-9c6e7ba65327
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1569832
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Deletes keys related to Windows Defender
Deletes keys which are related to windows safe boot (disables safe mode boot)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d/
Threat name:
Win32.Ransomware.RansomLock
Create hunting rule
Status:
Malicious
First seen:
2023-02-25 18:32:04 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdchtshuhgbpsngqeokbjlorfdcmxffig5wp2ykq3rjmaok23egq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
error
DBatLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader defense_evasion discovery persistence trojan
Link:
https://tria.ge/reports/241206-k42lqsznbx/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Adds Run key to start application
Impair Defenses: Safe Mode Boot
Boot or Logon Autostart Execution: Active Setup
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
Win.Ransomware.Lockscreen-9831110-0
YARA:
n/a
Link:
https://app.threat.zone/submission/17727762-2006-4ee3-a134-bc3243351cc8
Unpacked files
SH256 hash:
133fc0c7168778f8e595dd1eff0c4e4f5cee9b4493dbdc8adf9281fa1b399f50
MD5 hash:
3683741300135fb6e310643826891019
SHA1 hash:
c5208f9edd9f741ca77bbef6514aeb9faf5a28c9
Link:
https://www.unpac.me/results/a92d20ab-079b-49af-a247-433ff738df00/
SH256 hash:
92c33cedc767cbf5ff5f3cc2d068d56a23fd465740bb322685264ffe0b7f3fc3
MD5 hash:
2b2326ef9555610fa0cc20e1ac273284
SHA1 hash:
a7fa2ac1b10af6a376737b93e863a07ff53d686b
Link:
https://www.unpac.me/results/a92d20ab-079b-49af-a247-433ff738df00/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/a92d20ab-079b-49af-a247-433ff738df00/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/a92d20ab-079b-49af-a247-433ff738df00/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/a92d20ab-079b-49af-a247-433ff738df00/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/a92d20ab-079b-49af-a247-433ff738df00/
SH256 hash:
b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d
MD5 hash:
be15731ec7cdca6019f9e37d5979d9b8
SHA1 hash:
5d2ef63dfb98001b2323e8187dd7d15686e9984e
Link:
https://www.unpac.me/results/a92d20ab-079b-49af-a247-433ff738df00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe b8c479c8f43982f934d0239414add128c4cb94a8376cfd6150dc52c0395ad90d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3332815/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::OpenProcess
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegDeleteKeyA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryInfoKeyA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments