MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8fc78826fabd9eabf03716ec20f3d37cac8df761278108b3ef8af4e5d353c6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8fc78826fabd9eabf03716ec20f3d37cac8df761278108b3ef8af4e5d353c6f
SHA3-384 hash: c488fd6518541025980bcee49a870b450fcf0a1f17bbb4c66692bbd1f0bf13579125ef11fa6e46165565b6a475ba3c46
SHA1 hash: f2b1f769e30e7d9660816d246eef31dc22542069
MD5 hash: 2a45d8e8d66c9a11ce2c51df8c0425ba
humanhash: floor-indigo-harry-burger
File name:GHP98656789909876.cmd
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'314'816 bytes
First seen:2023-10-26 07:09:56 UTC
Last seen:2023-10-27 14:07:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4498ed238a5d5d6510e036e3bb29986 (8 x DBatLoader, 1 x AgentTesla)
ssdeep 24576:bKuO345cRv/kabphVsJhfYPzyB+4Buxrhre0QZd/0hkEBS/:bLysS24mwe0CMkEe
Threatray 13 similar samples on MalwareBazaar
TLSH T1BD55E026F21548B5F03A0A3A6C2B572E9F1DAD693A98290B17FC7F581F31243356D1B3
TrID 36.1% (.SCR) Windows screen saver (13097/50/3)
29.0% (.EXE) Win64 Executable (generic) (10523/12/4)
12.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2a666013d6d253ac (12 x DBatLoader, 1 x AgentTesla, 1 x RemcosRAT)
Reporter abuse_ch
Tags:cmd DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
298
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
GHP98656789909876.cmd
Verdict:
Malicious activity
Analysis date:
2023-10-26 07:23:57 UTC
Tags:
dbatloader rat remcos sinkhole keylogger
Link:
https://app.any.run/tasks/fabf40a3-704d-4f71-acda-365d21905679

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456481/
Detection(s):
Porcupine.Backdoor.Win32.Remcos.gen.182185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
control keylogger lolbin masquerade modiloader packed remcos zusy
Link:
https://www.filescan.io/uploads/653a10cf4ebf05ac3f3a0c74/reports/78674bb8-6451-4d72-bf81-e6a263421e2a/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/b8fc78826fabd9eabf03716ec20f3d37cac8df761278108b3ef8af4e5d353c6f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a6070c4-4d54-4b91-8ab2-9ffa12f85d1a
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332475
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332475 Sample: GHP98656789909876.cmd.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 71 web.fe.1drv.com 2->71 73 oopq3w.db.files.1drv.com 2->73 75 3 other IPs or domains 2->75 85 Snort IDS alert for network traffic 2->85 87 Multi AV Scanner detection for domain / URL 2->87 89 Found malware configuration 2->89 91 11 other signatures 2->91 12 GHP98656789909876.cmd.exe 1 7 2->12         started        16 Bocgdgqd.PIF 2->16         started        signatures3 process4 file5 65 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->65 dropped 67 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->67 dropped 69 C:\Users\Public\Libraries\Bocgdgqd.PIF, PE32 12->69 dropped 115 Drops PE files with a suspicious file extension 12->115 117 Writes to foreign memory regions 12->117 119 Allocates memory in foreign processes 12->119 125 2 other signatures 12->125 18 colorcpl.exe 5 16 12->18         started        23 cmd.exe 1 12->23         started        121 Multi AV Scanner detection for dropped file 16->121 123 Machine Learning detection for dropped file 16->123 25 colorcpl.exe 16->25         started        signatures6 process7 dnsIp8 77 80.76.51.172, 49721, 49722, 8787 CLOUDCOMPUTINGDE Bulgaria 18->77 79 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 18->79 59 C:\ProgramData\remcos\logs.dat, data 18->59 dropped 93 Contains functionality to bypass UAC (CMSTPLUA) 18->93 95 Tries to steal Mail credentials (via file registry) 18->95 97 Contains functionalty to change the wallpaper 18->97 105 8 other signatures 18->105 27 colorcpl.exe 18->27         started        30 colorcpl.exe 18->30         started        32 colorcpl.exe 18->32         started        34 colorcpl.exe 18->34         started        99 Uses ping.exe to sleep 23->99 101 Drops executables to the windows directory (C:\Windows) and starts them 23->101 103 Uses ping.exe to check the status of other devices and networks 23->103 36 easinvoker.exe 23->36         started        38 PING.EXE 1 23->38         started        41 xcopy.exe 2 23->41         started        44 8 other processes 23->44 file9 signatures10 process11 dnsIp12 109 Tries to steal Instant Messenger accounts or passwords 27->109 111 Tries to steal Mail credentials (via file / registry access) 27->111 113 Tries to harvest and steal browser information (history, passwords, etc) 30->113 46 cmd.exe 1 36->46         started        81 127.0.0.1 unknown unknown 38->81 61 C:\Windows \System32\easinvoker.exe, PE32+ 41->61 dropped 63 C:\Windows \System32\netutils.dll, PE32+ 44->63 dropped file13 signatures14 process15 signatures16 127 Adds a directory exclusion to Windows Defender 46->127 49 cmd.exe 1 46->49         started        52 conhost.exe 46->52         started        process17 signatures18 83 Adds a directory exclusion to Windows Defender 49->83 54 powershell.exe 23 49->54         started        process19 signatures20 107 DLL side loading technique detected 54->107 57 conhost.exe 54->57         started        process21
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8fc78826fabd9eabf03716ec20f3d37cac8df761278108b3ef8af4e5d353c6f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8fc78826fabd9eabf03716ec20f3d37cac8df761278108b3ef8af4e5d353c6f/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 11:22:14 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xd6hratpvpm6vpydofxmedz5g7fmrx3wcj4bbcz67cxu4xjvhrxq._file
Verdict:
malicious
Similar samples:
052e1b54c491c63c662fa47b08b71ba2f2c25bbb20bca619893785b87f90257d
DBatLoader
1355e7cc9be9bbd45a846e2c1bfd3f0ad58465e8e1fac10d0372ea3d8a2e8652
DBatLoader
204d5541a347bee64224d392403286271bc2351c50101e89b19e896f1756b389
DBatLoader
2de867d8517763734d6a3d0f73152371ea29f1523d070ba099ec9cafebacb20d
DBatLoader
310fef60a83b23ae386a9fd256ee6025493365aa9233a69446f63519e1f6a2e4
DBatLoader
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
DBatLoader
85ca618bef7b97885f9f8c83a5abcb5afcafe9b6ffc3db6893a0dcdd61f6a891
DBatLoader
a2ccfb3d7a86abe20bf59f9e50958e1c6bb130fb80034e33555d014933245b04
DBatLoader
e4fbd0f46d093579c855bf711e874a5ba4e6f3ea047ae5964a08bfb1e762d4f6
DBatLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader trojan
Link:
https://tria.ge/reports/231026-hzdyrsec79/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
3263fadc75d4a252603c134a70373f8f41ff8bbf8cf197dcc2b4c6f0fab227c5
MD5 hash:
4260202256dbe246f2618015a89e6922
SHA1 hash:
99e6a7c0e1e4b5fdd50bb8e78ea69256f0c8938f
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/77592b89-30ab-4f0b-b348-da3c5c3e78b2/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/77592b89-30ab-4f0b-b348-da3c5c3e78b2/
SH256 hash:
b8fc78826fabd9eabf03716ec20f3d37cac8df761278108b3ef8af4e5d353c6f
MD5 hash:
2a45d8e8d66c9a11ce2c51df8c0425ba
SHA1 hash:
f2b1f769e30e7d9660816d246eef31dc22542069
Link:
https://www.unpac.me/results/77592b89-30ab-4f0b-b348-da3c5c3e78b2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8fc78826fab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe b8fc78826fabd9eabf03716ec20f3d37cac8df761278108b3ef8af4e5d353c6f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/456481/

Comments