MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d
SHA3-384 hash: eac614ec475c8572a0667aa16b7c93450b4dd08a8be1cf340a2cdc0d478e21b4dca099e9cb5e3003c40119a7dfe68342
SHA1 hash: 42d2320cda186fdb872b267c710b1b71fa47d82b
MD5 hash: 978f734a0a775c9a3adc587c3b1a545b
humanhash: minnesota-high-maryland-twelve
File name:HSBC Payment Advice_pdf.bat
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'469'440 bytes
First seen:2023-08-30 06:32:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e77d7ed051434d0048aafe40409c859 (3 x DBatLoader, 1 x RemcosRAT)
ssdeep 24576:V+Q36wOVeW7QR0uN6ASBIbGBkYcjAYKUx7ADHxOx4yHR7eHKwxK5K2TKEDDNuhoV:V+Q6XfbrYdA7khFoacMz8o6
Threatray 2 similar samples on MalwareBazaar
TLSH T19165C0E36660C973E1B229787F2BA3F85C2D7E352D2975866AF23D4C0A39540392D1C7
TrID 30.5% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 308a8a8c888a8a30 (5 x SnakeKeylogger, 4 x CobaltStrike, 3 x DBatLoader)
Reporter abuse_ch
Tags:bat DBatLoader exe HSBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HSBC Payment Advice_pdf.bat
Verdict:
Malicious activity
Analysis date:
2023-08-30 06:36:20 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/643489bd-6ec3-4d4b-9000-5f295c4ef709

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445230/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.22148.17114.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware keylogger lolbin masquerade packed
Link:
https://www.filescan.io/uploads/64eee2a72a47256e3a2e861f/reports/0c94bfd5-f6b1-473b-a144-fee0d83055fc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1bd41a1c-52ac-4f14-bd80-ea32efb18160
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1300180
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1300180 Sample: HSBC_Payment_Advice_pdf.bat.exe Startdate: 30/08/2023 Architecture: WINDOWS Score: 100 74 www.wobita.net 2->74 76 wobita.net 2->76 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 10 other signatures 2->98 12 HSBC_Payment_Advice_pdf.bat.exe 1 7 2->12         started        17 Zdhjnhyd.PIF 2->17         started        signatures3 process4 dnsIp5 78 web.fe.1drv.com 12->78 80 onedrive.live.com 12->80 86 2 other IPs or domains 12->86 58 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->58 dropped 60 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->60 dropped 62 C:\Users\Public\Libraries\Zdhjnhyd.PIF, PE32 12->62 dropped 126 Drops PE files with a suspicious file extension 12->126 128 Writes to foreign memory regions 12->128 130 Allocates memory in foreign processes 12->130 19 cmd.exe 1 12->19         started        22 SndVol.exe 12->22         started        82 web.fe.1drv.com 17->82 84 onedrive.live.com 17->84 88 2 other IPs or domains 17->88 132 Multi AV Scanner detection for dropped file 17->132 134 Machine Learning detection for dropped file 17->134 136 Injects a PE file into a foreign processes 17->136 24 colorcpl.exe 17->24         started        file6 signatures7 process8 signatures9 100 Uses ping.exe to sleep 19->100 102 Drops executables to the windows directory (C:\Windows) and starts them 19->102 104 Uses ping.exe to check the status of other devices and networks 19->104 26 easinvoker.exe 19->26         started        28 PING.EXE 1 19->28         started        31 xcopy.exe 2 19->31         started        36 8 other processes 19->36 106 Maps a DLL or memory area into another process 22->106 108 Queues an APC in another process (thread injection) 22->108 34 MVFmDXiCyCpIYpdbyrnLOCRZjQ.exe 22->34 injected process10 dnsIp11 38 cmd.exe 1 26->38         started        90 127.0.0.1 unknown unknown 28->90 64 C:\Windows \System32\easinvoker.exe, PE32+ 31->64 dropped 41 ipconfig.exe 13 34->41         started        66 C:\Windows \System32\netutils.dll, PE32+ 36->66 dropped file12 process13 signatures14 112 Adds a directory exclusion to Windows Defender 38->112 43 cmd.exe 1 38->43         started        46 conhost.exe 38->46         started        114 Tries to steal Mail credentials (via file / registry access) 41->114 116 Tries to harvest and steal browser information (history, passwords, etc) 41->116 118 Modifies the context of a thread in another process (thread injection) 41->118 120 2 other signatures 41->120 48 explorer.exe 41->48 injected 51 MVFmDXiCyCpIYpdbyrnLOCRZjQ.exe 41->51 injected process15 dnsIp16 122 Adds a directory exclusion to Windows Defender 43->122 53 powershell.exe 23 43->53         started        68 www.openlend.lat 89.187.165.194, 49781, 80 CDN77GB Czech Republic 48->68 70 www.sinpercar.com 48->70 72 zhs.zohosites.com 136.143.186.12, 49782, 49783, 49784 ZOHO-ASUS United States 48->72 124 System process connects to network (likely due to code injection or exploit) 48->124 signatures17 process18 signatures19 110 DLL side loading technique detected 53->110 56 conhost.exe 53->56         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 06:13:01 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zhqxqw6ix43mdyllhb2vfchxw4tpj7zjvb673kiajshw3faayuoq._file
Verdict:
malicious
Similar samples:
33ca9923e204fe49ca08062c7799a0edd936be726f89e661756e058677eb4a96
DBatLoader
8be7eccf75282dc9c49fb20b4c7a500cf4fcd2e5401892dea640f0fd0663524e
DBatLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230830-ha76badc4x/
Behaviour
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
fab3ed7015b2ba7407ad3a3dfc79ff4974e2d61291253be77708f128c7b356d3
MD5 hash:
ef768905084ccac5ff9fd48d3508d9a8
SHA1 hash:
e9a8747d2a58def28c95096c8d404da2faa4ca02
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/3a5a3bdf-12cf-4175-9b79-d3925da0476e/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/3a5a3bdf-12cf-4175-9b79-d3925da0476e/
SH256 hash:
c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d
MD5 hash:
978f734a0a775c9a3adc587c3b1a545b
SHA1 hash:
42d2320cda186fdb872b267c710b1b71fa47d82b
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/3a5a3bdf-12cf-4175-9b79-d3925da0476e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9e1785bc8bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe c9e1785bc8bf36c1e16b38755288f7b726f4ff29a87dfda9004c8f6d9400c51d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445230/

Comments