MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b
SHA3-384 hash: 57bc1309c524ced5a2e8f376561ef91875226cf1b996064456cfcd6414a2a9ad45b95571738713c98097299c8ead0a26
SHA1 hash: 1f87d88f77938fd45fff0dfb2d619542af3efd54
MD5 hash: 7f042f4f44e75956867b78c08522afc4
humanhash: idaho-summer-kansas-lion
File name:mygirlgreatthikinggoodforentiretimebestforme.hta
Download: download sample
Signature DBatLoader
Create hunting rule
File size:13'964 bytes
First seen:2025-03-20 10:22:24 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3sjk6YfXHjk6YrSXFM/zYxDpy55AoNDYidM1jk6Y+jjk6YktXsjk6Y8G:8lGXlpMYxNe5nJilFl5cl6
Threatray 39 similar samples on MalwareBazaar
TLSH T1FC52B7597C51FC8C4786A2A907CC9CD0182C0FAE5480B145B28E63F6533A769ECDBBD3
Magika html
Reporter abuse_ch
Tags:DBatLoader hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dbec9d9388e75d078ee02b
Tags:
n/a
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b/results/dashboard
Payload URLs
URL
File name
http://198.23.212.233/550/cvvs.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67dbecaab93e688233f056eb/reports/e131a667-1bf2-41fd-8233-6592c7217731/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.69E11E8A
Link:
https://www.hybrid-analysis.com/sample/c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, DBatLoader, MSIL Logger,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1644107
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected Cobalt Strike Beacon
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644107 Sample: mygirlgreatthikinggoodforen... Startdate: 20/03/2025 Architecture: WINDOWS Score: 100 56 reallyfreegeoip.org 2->56 58 checkip.dyndns.org 2->58 60 checkip.dyndns.com 2->60 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 74 16 other signatures 2->74 11 mshta.exe 1 2->11         started        signatures3 72 Tries to detect the country of the analysis system (by using the IP) 56->72 process4 signatures5 88 Suspicious command line found 11->88 90 PowerShell case anomaly found 11->90 14 cmd.exe 1 11->14         started        process6 signatures7 92 Detected Cobalt Strike Beacon 14->92 94 Suspicious powershell command line found 14->94 96 PowerShell case anomaly found 14->96 17 powershell.exe 45 14->17         started        22 conhost.exe 14->22         started        process8 dnsIp9 54 198.23.212.233, 49687, 80 AS-COLOCROSSINGUS United States 17->54 44 C:\Users\user\AppData\Roaming\cvvs.exe, PE32 17->44 dropped 46 C:\Users\user\AppData\Local\...\cvvs[1].exe, PE32 17->46 dropped 48 C:\Users\user\AppData\...\21stw1sa.cmdline, Unicode 17->48 dropped 76 Loading BitLocker PowerShell Module 17->76 78 Powershell drops PE file 17->78 24 cvvs.exe 6 17->24         started        28 csc.exe 3 17->28         started        file10 signatures11 process12 file13 50 C:\Users\user\Links\bmfeyeaJ.pif, PE32 24->50 dropped 80 Antivirus detection for dropped file 24->80 82 Drops PE files with a suspicious file extension 24->82 84 Writes to foreign memory regions 24->84 86 3 other signatures 24->86 30 bmfeyeaJ.pif 15 2 24->30         started        34 cmd.exe 1 24->34         started        36 cmd.exe 1 24->36         started        52 C:\Users\user\AppData\Local\...\21stw1sa.dll, PE32 28->52 dropped 38 cvtres.exe 1 28->38         started        signatures14 process15 dnsIp16 62 checkip.dyndns.com 158.101.44.242, 49688, 80 ORACLE-BMC-31898US United States 30->62 64 reallyfreegeoip.org 104.21.64.1, 443, 49689 CLOUDFLARENETUS United States 30->64 98 Detected unpacking (changes PE section rights) 30->98 100 Detected unpacking (overwrites its own PE header) 30->100 102 Tries to steal Mail credentials (via file / registry access) 30->102 104 Tries to harvest and steal browser information (history, passwords, etc) 30->104 40 conhost.exe 34->40         started        42 conhost.exe 36->42         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-03-20 10:23:23 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yw63xja7wo4be2iewxhcye3nsixuphrmi6y65lmmbe5gxje45v5q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
0ec55f7abd7ebe7dee1e9267619f13e015cd6a27f52e62f4638eb4c0906d8d4e
DBatLoader
52fa8d3fd8ba1eb0db5d259134167fd2085b0e54f1c7ba053aeab24b2b2c50af
DBatLoader
5e18bfde60f96b7ea7de2182379c6c50ff90c0dcb67872498526c02b25363387
DBatLoader
7b408a4b96dafc7827412d9e9caf5075e0fd398c58d22ea3607399f609d3a88f
DBatLoader
92b04adb83d15beda4030aed92dd90658783cf892537a6d40dc1892750fba2de
DBatLoader
95d10ff038effd4a63c0cdd97b40da1877c01a21d91cf0d72917387f1771d024
DBatLoader
ad50c64c49f0ea386631f5c53a2ee7bd952e5168f5234704f9cb4f9be32f5944
DBatLoader
cd55a0fca162c8ed4493b56ba136d841207fee9868c5952335371f6c19ea78e1
DBatLoader
error
DBatLoader
fa03da1f02ff38f19efbe7344740a83755b04fb3561bc61ae14e5c5ab91d01b6
DBatLoader
+ 29 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/250320-mezf7atqs9/
Behaviour
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Malware family:
PrivateLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5bdbba41fb3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

HTML Application (hta) hta c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3483483/
  
Delivery method
Distributed via web download

Comments