MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375
SHA3-384 hash: 0250f79f4b8f7d7d8e0376359772827fc3e8dfad32296ec1fdb110cef479d4098edeaa722f33999fd93a04549856ffd2
SHA1 hash: 6957e2bd7068f1303723c2ba3075771cdbcb23f0
MD5 hash: 07789017f254b6ac45b11f66ccada623
humanhash: xray-maryland-quebec-potato
File name:Izjava u prilogu.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:856'064 bytes
First seen:2022-08-02 06:06:24 UTC
Last seen:2022-08-09 06:17:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 26f43e7e5cabbf54a110a27c93529aa0 (1 x Formbook, 1 x DBatLoader)
ssdeep 12288:h9t152pZSK8XmAl1kkzRYePVeghTXSmDm1BeIDQs+dZHcFE3Z2VrJTh:f/QmLl1kklYePpZ/DOBeIDQPd52Ep8r
Threatray 390 similar samples on MalwareBazaar
TLSH T1B2059E3AA6D08537E0661F789C4B56F8982B7D512D34A84E6ADC3E0C5B377503C2A3B7
TrID 68.5% (.OCX) Windows ActiveX control (116521/4/18)
8.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.7% (.SCR) Windows screen saver (13101/52/3)
6.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33f0d8f6b694d031 (6 x DBatLoader, 1 x Formbook, 1 x ModiLoader)
Reporter 0xToxin
Tags:DBatLoader exe ModiLoader remcos

Intelligence

File Origin
# of uploads :
7
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295754/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61128284.21400.9560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28046/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/62e8bf456fb6aea51f10e41b/reports/45c93672-c554-4e5d-81c6-461933d8b4b5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1edb688a-7470-4375-953a-c389fea54027
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1044630
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 677124 Sample: Izjava u prilogu.exe Startdate: 02/08/2022 Architecture: WINDOWS Score: 84 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 3 other signatures 2->58 9 Izjava u prilogu.exe 1 18 2->9         started        14 Nwypnv.exe 1 15 2->14         started        16 Nwypnv.exe 17 2->16         started        18 3 other processes 2->18 process3 dnsIp4 38 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49751, 49756 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->38 40 l-0004.l-dc-msedge.net 13.107.43.13, 443, 49747, 49753 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->40 46 3 other IPs or domains 9->46 36 C:\Users\Public\Libraries36wypnv.exe, PE32 9->36 dropped 62 Creates multiple autostart registry keys 9->62 64 Writes to foreign memory regions 9->64 66 Allocates memory in foreign processes 9->66 70 2 other signatures 9->70 20 cleanmgr.exe 5 4 9->20         started        42 ph-files.fe.1drv.com 14->42 48 2 other IPs or domains 14->48 68 Multi AV Scanner detection for dropped file 14->68 44 ph-files.fe.1drv.com 16->44 50 2 other IPs or domains 16->50 file5 signatures6 process7 file8 32 C:\Users\user\AppData\Local\...\install.vbs, data 20->32 dropped 34 C:\ProgramData\javaa\javaaa.exe, PE32 20->34 dropped 60 Creates multiple autostart registry keys 20->60 24 wscript.exe 1 20->24         started        signatures9 process10 process11 26 cmd.exe 1 24->26         started        process12 28 conhost.exe 26->28         started        30 javaaa.exe 26->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 12:58:04 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f66n5bxamyubkazpquxehstlym43y2cwii4hiahj6su66npwn2q._file
Verdict:
malicious
Similar samples:
3c4180a41539d6bb417287a3ef07eb27b1d14b46302514c37311ade6da6cb451
DBatLoader
437e444fdf417fa35390eec589e380b8d5c70b5418a4554ee19cb706470a7edc
DBatLoader
45c2a90fff377e89af12d170f42c055f26b3165f17bca422ef34edc479debcee
DBatLoader
69aebbc01bb6d126ebd5cc318f73aa42fc487c84b6a204d9ebaafbabb0b817c0
DBatLoader
6b46c6363eb8fab2e969bef3a3cde6843f82e405b446e645207c9e9f97a89ed1
DBatLoader
b1837f6e117f60e76da4f32b8b86cab5476d07e213421598a4f38c0cbab8f0d3
DBatLoader
cfddcbf0a97a326f7a26683f817e7d42082c30f28113bef76e3c3b491c094c69
DBatLoader
d1675aae72a475f910d9f51af00f731052fc0ba7f355bfe56dd8f8dc26400cbb
DBatLoader
da66d2f930b291f3f065faa17bc87f4a68de14a6eb227b2b9f5a68d9bf6b475f
DBatLoader
dc2c5be2173c58a5eea29da7c30a80f05403a3ae42e57fabae4169feb1c4c475
DBatLoader
+ 380 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos botnet:remotehost persistence rat trojan
Link:
https://tria.ge/reports/220802-gvavwabfh4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
ModiLoader Second Stage
ModiLoader, DBatLoader
Remcos
Malware Config
C2 Extraction:
newehmpage.webredirect.org:5564
Unpacked files
SH256 hash:
df5188834ad47e3f01711c40fa863a1117e26df67fbe7bb116d9f3721dd4449e
MD5 hash:
6381d1e28338c4262a7bbe4e1f3fc66d
SHA1 hash:
8f8ab1deb41db7a0a74ef63dafe9b51a8e02e68c
Link:
https://www.unpac.me/results/3ac80b45-0aa9-44b6-ba78-2a5c3e3ccdaa/
SH256 hash:
d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375
MD5 hash:
07789017f254b6ac45b11f66ccada623
SHA1 hash:
6957e2bd7068f1303723c2ba3075771cdbcb23f0
Link:
https://www.unpac.me/results/3ac80b45-0aa9-44b6-ba78-2a5c3e3ccdaa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe d17de6f437033140a8197c29721e535e19cde342b211c3a0074fa54f79afb375

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/295754/

Comments