MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbee6701678f9540be9fcda93fd63ef7aefb9535545d37807db470dc49c46877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbee6701678f9540be9fcda93fd63ef7aefb9535545d37807db470dc49c46877
SHA3-384 hash: 7dbf7f8ecb666fe9ef843c2e8734fb9138d6503e72e8a3dd928ef5afde5ac63af8b63db5b278f41727abcbf0f25bff5e
SHA1 hash: 4330d9b6e4f50d5c4c349106293dddd39bf0740e
MD5 hash: 43f58cf8d3954325d018d0c96a80648a
humanhash: low-ink-football-winter
File name:43f58cf8d3954325d018d0c96a80648a
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'006'080 bytes
First seen:2021-12-31 16:42:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 24576:VEdr6QC2VVxBT3x2R/yQjttVni1hTbm0YnDJY:Sdr6QVbT3xs/ywjFETbrYnD
TLSH T19225F041A7F89129F0F73FB15EB906625A3ABCA1BD74C20E6249789E4C71B80CD71727
File icon (PE):PE icon
dhash icon 0002005455000200 (1 x DBatLoader)
Reporter zbetcheckin
Tags:32 DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
43f58cf8d3954325d018d0c96a80648a
Verdict:
Malicious activity
Analysis date:
2021-12-31 16:43:42 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/bc50292e-214f-4df4-8e48-a1803f616c4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216954/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38030323.18253.11722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3582/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61cf331a4ab5c44cbf590626/reports/f5a42a18-3448-4db7-ad72-a968772d8dbd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FormGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f36d0eb-e146-48a3-a807-57714137d589
Result
Threat name:
DBatLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/914343
Signature
Creates processes via WMI
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546821 Sample: ZnJdmnnPQH Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected DBatLoader 2->69 71 Sigma detected: Drops script at startup location 2->71 10 ZnJdmnnPQH.exe 1 5 2->10         started        12 QabDSeshZk.exe.com 2->12         started        16 wscript.exe 2->16         started        18 rundll32.exe 2->18         started        process3 dnsIp4 20 cmd.exe 1 10->20         started        23 rundll32.exe 10->23         started        57 DJOVBbwbHsqqNbADmYdrj.DJOVBbwbHsqqNbADmYdrj 12->57 91 Uses nslookup.exe to query domains 12->91 93 Writes to foreign memory regions 12->93 95 Injects a PE file into a foreign processes 12->95 25 nslookup.exe 12->25         started        97 Creates processes via WMI 16->97 signatures5 process6 signatures7 73 Obfuscated command line found 20->73 75 Uses ping.exe to sleep 20->75 77 Drops PE files with a suspicious file extension 20->77 79 Uses ping.exe to check the status of other devices and networks 20->79 27 cmd.exe 3 20->27         started        31 conhost.exe 20->31         started        process8 file9 53 C:\Users\user\AppData\Local\...\Sapra.exe.com, PE32 27->53 dropped 87 Obfuscated command line found 27->87 89 Uses ping.exe to sleep 27->89 33 Sapra.exe.com 27->33         started        36 findstr.exe 1 27->36         started        38 PING.EXE 1 27->38         started        signatures10 process11 signatures12 61 Drops PE files with a suspicious file extension 33->61 63 Uses nslookup.exe to query domains 33->63 40 Sapra.exe.com 6 33->40         started        process13 dnsIp14 55 DJOVBbwbHsqqNbADmYdrj.DJOVBbwbHsqqNbADmYdrj 40->55 49 C:\Users\user\AppData\...\QabDSeshZk.exe.com, PE32 40->49 dropped 51 C:\Users\user\AppData\...\QabDSeshZk.url, MS 40->51 dropped 81 Uses nslookup.exe to query domains 40->81 83 Writes to foreign memory regions 40->83 85 Injects a PE file into a foreign processes 40->85 45 nslookup.exe 40->45         started        file15 signatures16 process17 dnsIp18 59 195.93.173.192, 49755, 49758, 49759 UKRTELNETUA Ukraine 45->59 99 Tries to harvest and steal browser information (history, passwords, etc) 45->99 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbee6701678f9540be9fcda93fd63ef7aefb9535545d37807db470dc49c46877/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-12-28 17:50:00 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader bootkit persistence suricata trojan
Link:
https://tria.ge/reports/211231-t78znafeen/
Behaviour
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Drops startup file
Loads dropped DLL
Executes dropped EXE
ModiLoader First Stage
ModiLoader, DBatLoader
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
Unpacked files
SH256 hash:
a92a1a64e8b7a0c15e343e8fa45723c60fdd625ad5df2a070f0e5b18b9d9c535
MD5 hash:
0b8ed803aa5b5bcbbe9d74ace33ff261
SHA1 hash:
4b57b572997c7b0ee7629e8d76d7370f312001f6
Link:
https://www.unpac.me/results/f2f682b3-ea62-47d3-834c-8ebb292b51cf/
SH256 hash:
cbee6701678f9540be9fcda93fd63ef7aefb9535545d37807db470dc49c46877
MD5 hash:
43f58cf8d3954325d018d0c96a80648a
SHA1 hash:
4330d9b6e4f50d5c4c349106293dddd39bf0740e
Link:
https://www.unpac.me/results/f2f682b3-ea62-47d3-834c-8ebb292b51cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbee6701678f9540be9fcda93fd63ef7aefb9535545d37807db470dc49c46877

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe cbee6701678f9540be9fcda93fd63ef7aefb9535545d37807db470dc49c46877

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1939097/
Cape
Cape
https://www.capesandbox.com/analysis/216954/

Comments


Avatar
zbet commented on 2021-12-31 16:42:25 UTC

url : hxxp://45.144.225.57/EU/UvKhHru500eu.exe