MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceea761a0d3121215b4ddd3c0916eb63345395f0fd09e8449bd85a4a84e50272. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceea761a0d3121215b4ddd3c0916eb63345395f0fd09e8449bd85a4a84e50272
SHA3-384 hash: ce92f207981c5f7f074ede211dfcca55665d579efd7a51c9068754582a58e70139a23e0553833320f2be178ff787beaf
SHA1 hash: 013f7bb771da2df40dae65d7b13235110916d2a8
MD5 hash: 4eec9d32bd0796bed0ecd74009a363f7
humanhash: lactose-hydrogen-harry-fanta
File name:Приказ (внешний) № 15629 от 25.07.2022 ООО «БТК».exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:641'024 bytes
First seen:2022-08-04 09:23:42 UTC
Last seen:2022-09-06 13:20:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 286be9e4f8d73c89ffb2aff3a4427b53 (9 x DBatLoader, 1 x AveMariaRAT)
ssdeep 12288:F+xn0/znwyVdboAk2SE+BOx7o1sf6hm7fWzHyW+K:w07nxdb7k2SnB2o1A6hsaSPK
Threatray 14'504 similar samples on MalwareBazaar
TLSH T1E6D48E6AE6D045F2ED6226788C1A9694D82B7D401D3C184BABDC3EC95B3B7D1342B3C7
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 73b0d4d6c6d430b3 (9 x DBatLoader, 1 x AveMariaRAT)
Reporter lowmal3
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
1.exe
Verdict:
Malicious activity
Analysis date:
2022-08-04 07:51:30 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/734d8582-6791-49d8-a477-65d4af3422b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296413/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger
Link:
https://www.filescan.io/uploads/62eb90340d534e60816eb283/reports/65cb5072-1376-4b76-8186-0c036c016a96/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9f68402-c20f-414a-a633-299df76cad33
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046150
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 678644 Sample: 1a#U00bb.exe Startdate: 04/08/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected UAC Bypass using ComputerDefaults 2->47 49 3 other signatures 2->49 7 1a#U00bb.exe 1 18 2->7         started        12 Kqmzdslgs.exe 14 2->12         started        14 Kqmzdslgs.exe 14 2->14         started        process3 dnsIp4 35 thebaseballprophet.com 103.150.31.22, 443, 49743, 49747 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN unknown 7->35 31 C:\Users\Public\Libraries\Kqmzdslgs.exe, PE32 7->31 dropped 33 C:\Users\...\Kqmzdslgs.exe:Zone.Identifier, ASCII 7->33 dropped 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 55 Creates a thread in another existing process (thread injection) 7->55 16 cmd.exe 1 7->16         started        57 Multi AV Scanner detection for dropped file 12->57 59 Injects a PE file into a foreign processes 12->59 19 cmd.exe 1 12->19         started        21 cmd.exe 1 14->21         started        file5 signatures6 process7 signatures8 37 Modifies the context of a thread in another process (thread injection) 16->37 39 Maps a DLL or memory area into another process 16->39 41 Queues an APC in another process (thread injection) 16->41 23 conhost.exe 16->23         started        25 explorer.exe 16->25 injected 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceea761a0d3121215b4ddd3c0916eb63345395f0fd09e8449bd85a4a84e50272/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-08-04 04:45:19 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3vhmgqngeqscw2n3u6asfxlmm2fhfpq7ue6qre33bnevbhfajza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0529130f4cb86fd0a8dcbd0d2ade580d721248a0503f20823373823a481aa7df
DBatLoader
4d11cc329c2e378d5a0f9c1032d01a9fc1f82a8d31fae79e851d05b87dca6563
DBatLoader
71d4416a94c93021b07c9f0dc6a2d388b39bf429b58546dd85944b5681b19de5
DBatLoader
75e628b04a020bbaecb3f61430c996aadb9d4b6f4f6396581922004b57404c05
DBatLoader
92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b
DBatLoader
b2e993f1197c85683981bec427cd5e5bb4cbf844f053a3c4727a717e9c123cb7
DBatLoader
daf1d21f570270cea93b1f7238636e31aa2a5f328917e30b125f677c723bd46e
DBatLoader
+ 14'494 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220804-lc2m4adbg8/
Unpacked files
SH256 hash:
17f73c76ddcb7cb3d62bfa847e74d830ceec124a5039f2c1ff2956e248cfc62d
MD5 hash:
60d349dcf597f153fbb56484bcb4e051
SHA1 hash:
7613a0152dafe5116f24c2030889314b7bffd144
Link:
https://www.unpac.me/results/7c2f0fb2-fdfd-42fd-b7e0-920ce4f05c79/
SH256 hash:
167dcf9bbea524732d223862e3dcffad97c4dddc84f58d5877a1b40a7b0bda6d
MD5 hash:
48eb46c4d8f8015d387b4ff73ec81e08
SHA1 hash:
4693e91e6fcde682981fb5d952a2ff2795151def
Link:
https://www.unpac.me/results/7c2f0fb2-fdfd-42fd-b7e0-920ce4f05c79/
SH256 hash:
ceea761a0d3121215b4ddd3c0916eb63345395f0fd09e8449bd85a4a84e50272
MD5 hash:
4eec9d32bd0796bed0ecd74009a363f7
SHA1 hash:
013f7bb771da2df40dae65d7b13235110916d2a8
Link:
https://www.unpac.me/results/7c2f0fb2-fdfd-42fd-b7e0-920ce4f05c79/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ceea761a0d31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ceea761a0d3121215b4ddd3c0916eb63345395f0fd09e8449bd85a4a84e50272

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe ceea761a0d3121215b4ddd3c0916eb63345395f0fd09e8449bd85a4a84e50272

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/296413/

Comments