MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d
SHA3-384 hash:	4080dff8b946bff1d04742a632f272d5f68d41a4b4d358763b58e3336842c7c7c89e0369d32f5e1c8ddd4154dc3061bf
SHA1 hash:	226ab7140c105de6cda4f6526fac2fbc8df42073
MD5 hash:	7c0c604d40d2507a27849f5795547ee8
humanhash:	colorado-finch-berlin-tango
File name:	1403-0569 pdf.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	1'544'192 bytes
First seen:	2024-08-29 09:28:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0de255985d7b32e559f7b245e58a691a (2 x DBatLoader)
ssdeep	24576:9PV6rANTFY+l/yKJc6q7Qh6AMskY/m2AIvO4+UVBAlUz:92A5zq7Qh6ApqI/4
Threatray	14 similar samples on MalwareBazaar
TLSH	T1DD655B96E2E14433C91615FBB887A3947A1F7B519A1D54C2B6BE3B381E34EC82401FB7
TrID	82.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 7.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 5.3% (.EXE) InstallShield setup (43053/19/16) 1.7% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.3% (.EXE) Win64 Executable (generic) (10523/12/4)
Magika	pebin
File icon (PE):
dhash icon	d89838989adce474 (4 x DBatLoader, 2 x Formbook, 1 x RemcosRAT)
Reporter	abuse_ch
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

393

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1403-0569 pdf.exe

Verdict:

No threats detected

Analysis date:

2024-08-29 09:30:31 UTC

Tags:

fileshare

Link:

https://app.any.run/tasks/176249a1-ef6e-4728-b7ad-8e5768ccabbe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Generickdz-9951971-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66cfb7adf1a57bfb70914395

Tags:

Network Static Stealth

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

borland_delphi fingerprint keylogger

Link:

https://www.filescan.io/uploads/66d03f61eb26ed7f73c59977/reports/56b4c421-ee20-445b-be91-c37bc9cf0f23/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Starter

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c098bd1f-b339-4ba9-aca5-cb180a1d6dc6

Result

Threat name:

DBatLoader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1501063

Signature

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d/

Threat name:

Win32.Trojan.SpywareX

Status:

Malicious

First seen:

2024-08-28 18:46:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zx2lpjys2et6o3fvmow43qb2mwv3pc33fnyhrw465ucgvejahbgq._file

Verdict:

malicious

DBatLoader

31a7e70deb8af07d7b76b5dea8cbf90ec63bea24bffdd5ebac6f223c02f55753

DBatLoader

3db983f5bbefb35bdcda7168bd4c17b5d2766a2997c1e67941a8244bc8399b94

DBatLoader

5944d6afb5b917de44033f3c301d1adcea6107552fd8c2658b567d30d86d7b70

DBatLoader

8f66087a136da4cc49c15eec3b25f784077bb2fb1f8b583765a6f0236fbe71fc

DBatLoader

9a045c9c991d1d135687931fd936236135a9d812a9b1029284114a661f44a2a7

DBatLoader

b7c1f8aa7692d8e2f7a2a186ff3b097a390bd9cc6d8c74abc764be9f5d89a4bf

DBatLoader

cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d

DBatLoader

+ 4 additional samples on MalwareBazaar

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery trojan

Link:

https://tria.ge/reports/240829-lfw7sathng/

Behaviour

Script User-Agent

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

ModiLoader Second Stage

ModiLoader, DBatLoader

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ed554d43-c7fd-472c-9f2a-ed08b168d408

Unpacked files

SH256 hash:

5abc7ba1a9a9c97aaa25c22c526d8eba8c0af1ead5f8b6b2f1f557fce62bd8d2

MD5 hash:

db650d147cd1e45674e09dfa4632cb35

SHA1 hash:

65774d6d78f118c5cb245f81d343207a585b9f7f

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/f4af03fd-50c6-4af2-95e4-35839fb74308/

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/f4af03fd-50c6-4af2-95e4-35839fb74308/

SH256 hash:

cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d

MD5 hash:

7c0c604d40d2507a27849f5795547ee8

SHA1 hash:

226ab7140c105de6cda4f6526fac2fbc8df42073

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/f4af03fd-50c6-4af2-95e4-35839fb74308/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.72

Link:

https://yomi.yoroi.company/submissions/cdf4b7a712d127e76cb563adcdc03a65abb78b7b2b7078db9eed046a9120384d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetDriveTypeA kernel32.dll::GetVolumeInformationA kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowA user32.dll::OpenClipboard user32.dll::PeekMessageA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample