MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69
SHA3-384 hash: db0e0285aff7b43b6327ba7b6f7f4582e2edf9be70cc4daa35b21ddb45d28327ea11630a353d54690a664c7991db87ea
SHA1 hash: d0e40aa47862a5681388a0ecc14a6e7b36ec287a
MD5 hash: 35c9d0c1fb59cec2dee22f0a20e8b1e9
humanhash: oregon-snake-eleven-bacon
File name:PO.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:935'936 bytes
First seen:2022-08-01 08:48:36 UTC
Last seen:2022-08-01 14:02:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d6b755142a9bedd67381675d646ee46f (2 x DBatLoader, 1 x ModiLoader)
ssdeep 24576:MryWRujk9kBBuNpHb9t0GrvBPUaxXd52Ep8r:Mr9fkByDor
TLSH T19F159F2AA291843BE1A31D785C1B53F89D2ABD102D28945A2BF53E4C9F357913E353F3
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 509dca9acccc4b90 (5 x DBatLoader, 2 x AveMariaRAT, 1 x Formbook)
Reporter JAMESWT_WT
Tags:DBatLoader exe follina

Intelligence

File Origin
# of uploads :
3
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-02 06:50:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f596555-2ba0-450b-a71f-5f98aea4e024

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295525/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.8027.18912.12555.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27966/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62e793f96336465f2a007138/reports/6b65f5a6-616d-46cb-bd61-9edf2638c68d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e1f009e-8788-4846-bd0c-52fb38c2fe5c
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044065
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Delayed program exit found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676559 Sample: PO.exe Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 7 PO.exe 1 18 2->7         started        12 Cotwth.exe 14 2->12         started        14 Cotwth.exe 15 2->14         started        process3 dnsIp4 40 polpharmar.com 91.235.116.180, 49734, 49737, 49762 THCPROJECTSRO Romania 7->40 32 C:\Users\Public\Libraries\Cotwth.exe, PE32 7->32 dropped 34 C:\Users\...\Cotwth.exe:Zone.Identifier, ASCII 7->34 dropped 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 62 Creates a thread in another existing process (thread injection) 7->62 64 Injects a PE file into a foreign processes 7->64 16 cmd.exe 2 4 7->16         started        66 Multi AV Scanner detection for dropped file 12->66 20 cmd.exe 1 12->20         started        22 cmd.exe 1 14->22         started        file5 signatures6 process7 dnsIp8 36 www.varshtrade.com 91.192.100.12, 2404, 49757, 49758 AS-SOFTPLUSCH Switzerland 16->36 38 192.168.2.1 unknown unknown 16->38 42 Contains functionalty to change the wallpaper 16->42 44 Contains functionality to steal Chrome passwords or cookies 16->44 46 Contains functionality to inject code into remote processes 16->46 48 2 other signatures 16->48 24 WerFault.exe 23 9 16->24         started        26 conhost.exe 16->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-07-31 16:53:43 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7o4x4fjpizg66rgna7yc7t5iiecymhsqej3553ohq5ushajjruq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220801-kq1ghsfgbl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
www.varshtrade.com:2404
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/cfa0a88b-c7cb-4179-aa88-36f29598a1b9/
SH256 hash:
cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69
MD5 hash:
35c9d0c1fb59cec2dee22f0a20e8b1e9
SHA1 hash:
d0e40aa47862a5681388a0ecc14a6e7b36ec287a
Link:
https://www.unpac.me/results/cfa0a88b-c7cb-4179-aa88-36f29598a1b9/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfddcbf0a97a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DBatLoader

Executable exe cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69

(this sample)

  
X
https://twitter.com/StopMalvertisin/status/1553970465450098688?s=20&t=NUr2d5u8u1bLNhawYnZycQ
Cape
Cape
https://www.capesandbox.com/analysis/295525/
  
URLhaus
https://urlhaus.abuse.ch/url/2263630/
  
Delivery method
Distributed via web download

Comments