MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
SHA3-384 hash: f687f8cf46b8aa086f2649c16f073e3fdf2fa8829ee50cd569e13540fcba10f3240abc111d704731fb26151cbee0fdb4
SHA1 hash: 170c173cdb6af4128126aed6c5407c29fafdbdc8
MD5 hash: cbe18716dd6645962e08b8f786b612bb
humanhash: butter-mexico-tango-uniform
File name:cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'788'928 bytes
First seen:2025-09-05 13:02:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c5097c4844a18a789c2c97ff3f7431b2 (1 x RemcosRAT, 1 x DBatLoader)
ssdeep 24576:mPI9NxLxG6Bl93ZldYtVsH+xyPyoUkEmMZaoScXBUE4Y8BEWjBe1vx7/:mPIq6wxyPvUkEJ8cXBUE416h/
Threatray 793 similar samples on MalwareBazaar
TLSH T11C85E162F1E14633E5362A348C3B56B8592FBE612F2CA85539DC7D8C5F363C234252A7
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter adrian__luca
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
Verdict:
Suspicious activity
Analysis date:
2025-09-05 19:23:48 UTC
Tags:
delphi
Link:
https://app.any.run/tasks/3bc45bc7-4b34-4c9b-849c-14d7034eddd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25545/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68badf81eb163e0ec184813d
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger krypt modiloader obfuscated
Link:
https://www.filescan.io/uploads/68baea3a20d0ee406d96b75b/reports/cc9e5f7f-31e1-458a-b5a1-f4eaa6af0f35/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-19T21:24:00Z UTC
Last seen:
2025-08-19T21:24:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/649d78d9-d1a0-4212-bc54-dbaf1a8f96d6
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/cbe18716dd6645962e08b8f786b612bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 04:58:02 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z536uplaht45o3fmmxtautkt366ikbrr656ci6cdmhtprgcms6ma._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
0002a2f7d00d1d6c5289a0c6915c6a761145586b191c03d6ae9320ac487c9ed3
DBatLoader
01737d303e26dbb7b5dee87076382b4d81162ae73bf4faaeaf0bf29d0c6fc66d
DBatLoader
1336a81d27c381bfaefd7d763b6c93d593f9c181fe97522b8248d520c6b0e2ff
DBatLoader
17269b07f8f2f16e1d2139282f27e99834c34ed76548851a229bbe59832cb552
DBatLoader
268b6fdc221050949a2b624983380cd3fb268fecef2f5bb3a15d91611f3d8092
DBatLoader
60a8f087ea808e50d83e20099aa2fbedcd15bfb580f1524db4dc9e4a757d32d5
DBatLoader
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
DBatLoader
69a9b6e531a91d616c9d7405206f87b73b851e894e452cde8f4a16ebddd98156
DBatLoader
e54824f3c53758443e21d10af036b26e6ecf9dcfeb2179c459277325075c261c
DBatLoader
ea710abc03bb6f1d7bb3045bfbbf6450e49fbaea858df1fef7563d525d708c0c
DBatLoader
error
DBatLoader
+ 783 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/250905-q4a2nsxm15/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae0bdf38-1e5b-453b-aabb-5533d2fd21b1
Unpacked files
SH256 hash:
cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798
MD5 hash:
cbe18716dd6645962e08b8f786b612bb
SHA1 hash:
170c173cdb6af4128126aed6c5407c29fafdbdc8
Link:
https://www.unpac.me/results/f84e4ef4-4878-4074-8d43-8fc92985ffee/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf77ea3d603c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf77ea3d603cf9d76cac65e60a4d53dfbc850631f77c24784361e6f8984c9798

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25545/

Comments