MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcc2e33d331dbe662d0d845f4210de0613e8b6bb91565ee41cc198ffb7024fcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcc2e33d331dbe662d0d845f4210de0613e8b6bb91565ee41cc198ffb7024fcc
SHA3-384 hash: 139eeef9f0615f9e976a677cec332ff68931181d1068ab9a008525a6e781ab7e447068f0df20fa4ddebae7d63d757c24
SHA1 hash: ef0c936e72ef5f62610cad4981bffc78d352fd53
MD5 hash: 736060b59a453f04bbdfa9768eaa820a
humanhash: green-kilo-minnesota-mirror
File name:IMAGEDocumentsDOC0559DOC0302732112202135JIHG.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'162'752 bytes
First seen:2022-07-05 09:07:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c6d72504caee99d6f79636b4ec0876d (1 x RemcosRAT, 1 x Formbook, 1 x DBatLoader)
ssdeep 24576:j0MESs7F/WvmnaMKQaD+Mme3rmystFvDgIF7c5:ofJ83rlstFvDpF7c
Threatray 2'504 similar samples on MalwareBazaar
TLSH T103359DA2BB63803BC0E215798D6BF66988D77E126DDCA8C767F57E0B3A34641341D903
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27d0d4d6d0d87007 (4 x RemcosRAT, 3 x AveMariaRAT, 2 x Formbook)
Reporter Anonymous
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Fareit-FCVN04B0AC04354F.30114.16185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23843/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit keylogger
Link:
https://www.filescan.io/uploads/62c3ffae11764e36f8163a22/reports/3fe566f1-ea3b-47c7-9313-0f3a3d541ba7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6921ff48-af32-4c28-be65-93c4a63460fd
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1024667
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcc2e33d331dbe662d0d845f4210de0613e8b6bb91565ee41cc198ffb7024fcc/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 04:24:02 UTC
File Type:
PE (Exe)
Extracted files:
56
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtbogpjtdw7gmlinqrpueeg6ayj6rnv3sflf5za4ygmp7nycj7ga._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
1015aaf219bd6c756e9e5224d219ed551795585e383fb4a6d2a566e7c8dabad5
DBatLoader
81b648fca4135b631044dd68aee71ee704dcc930ae635658b9438585c5dc6b90
DBatLoader
8b759b06f4ac7b60429a8570e0faa36ac691fc03430f94cfae2bc6fcc1d0de63
DBatLoader
bec0e99c27a1be5e7f2ad71f8ebf6153a71ad0026c7a102db8228ad0638c37fe
DBatLoader
d3b0ff3262302f0478cdc55f8d77d9d7c999255282a3181bd6cc09a252077ee9
DBatLoader
db5081b362e1b639dadf98a1d8e7ff79f7a9dcaee67417795bec75b8897973a0
DBatLoader
+ 2'494 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:simsek-4-po persistence rat trojan
Link:
https://tria.ge/reports/220705-k3x7xsffcm/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
www.simsekaluminyurn.com:2404
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/f9a105fa-8583-4578-991e-5eaa7278e72c/
SH256 hash:
bcc2e33d331dbe662d0d845f4210de0613e8b6bb91565ee41cc198ffb7024fcc
MD5 hash:
736060b59a453f04bbdfa9768eaa820a
SHA1 hash:
ef0c936e72ef5f62610cad4981bffc78d352fd53
Link:
https://www.unpac.me/results/f9a105fa-8583-4578-991e-5eaa7278e72c/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe bcc2e33d331dbe662d0d845f4210de0613e8b6bb91565ee41cc198ffb7024fcc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments