MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6
SHA3-384 hash: b7a7723bb881e889fa2ce9abb012cbf30d48e2ff3ec0a7aaadfc704cc6fb2bf4c092ee4e21ddf0741bc8ca70a2f89ef0
SHA1 hash: a689a21b1b8a556b7e77be10f2e7ddc0dff7d360
MD5 hash: 7bbca6f64625872be1a4dba80d36fce1
humanhash: pizza-dakota-ohio-lamp
File name:IBKB.vbs
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'636'027 bytes
First seen:2024-11-20 09:21:11 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:EIvgQAdJSSNSo4oRUTvt13g+qA+aj1tHKUJS2t9HqG7ZaSJyhh4B:vgQUNSo4oebUHYRdzSCrYc
TLSH T1A7759EB85366AF613BDA47C40D48AEC54E240147903E521D6D29B1330B4AABEFB9DC7F
Magika vba
Reporter lowmal3
Tags:DBatLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28953.VbsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673dabb4e293c03416fb6e92
Tags:
valyria delphi emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper explorer fingerprint hook keylogger lolbin obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/673daa425a0510cd62e8cf84/reports/1e90947d-aa73-4c58-a9d1-5e66e5218aad/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6
Result
Threat name:
AgentTesla, DBatLoader, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1559226
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops large PE files
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559226 Sample: IBKB.vbs Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 95 zlenh.biz 2->95 97 vjaxhpbji.biz 2->97 99 46 other IPs or domains 2->99 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 15 other signatures 2->117 11 wscript.exe 2 2->11         started        15 Juqmtmya.PIF 2->15         started        17 Juqmtmya.PIF 2->17         started        signatures3 process4 file5 77 C:\Users\user\AppData\Local\Temp\x.exe, PE32 11->77 dropped 139 Benign windows process drops PE files 11->139 141 VBScript performs obfuscated calls to suspicious functions 11->141 143 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->143 145 Suspicious execution chain found 11->145 19 x.exe 1 7 11->19         started        147 Writes to foreign memory regions 15->147 149 Allocates memory in foreign processes 15->149 151 Sample uses process hollowing technique 15->151 24 aymtmquJ.pif 15->24         started        153 Machine Learning detection for dropped file 17->153 26 aymtmquJ.pif 17->26         started        signatures6 process7 dnsIp8 101 gxe0.com 198.252.105.91, 443, 49704, 49705 HAWKHOSTCA Canada 19->101 71 C:\Users\Public\Libraries\aymtmquJ.pif, PE32 19->71 dropped 73 C:\Users\Public\Libraries\Juqmtmya, data 19->73 dropped 75 C:\Users\Public\Juqmtmya.url, MS 19->75 dropped 127 Machine Learning detection for dropped file 19->127 129 Drops PE files with a suspicious file extension 19->129 131 Writes to foreign memory regions 19->131 133 3 other signatures 19->133 28 aymtmquJ.pif 4 19->28         started        31 cmd.exe 1 19->31         started        33 esentutl.exe 2 19->33         started        35 Native_neworigin.exe 24->35         started        39 Trading_AIBot.exe 24->39         started        41 Native_neworigin.exe 26->41         started        43 Trading_AIBot.exe 26->43         started        file9 signatures10 process11 dnsIp12 79 C:\Users\user\AppData\...\Trading_AIBot.exe, PE32 28->79 dropped 81 C:\Users\user\...81ative_neworigin.exe, PE32 28->81 dropped 45 Trading_AIBot.exe 28->45         started        49 Native_neworigin.exe 15 2 28->49         started        52 esentutl.exe 2 31->52         started        54 conhost.exe 31->54         started        83 C:\Users\Public\Libraries\Juqmtmya.PIF, PE32 33->83 dropped 56 conhost.exe 33->56         started        103 yunalwv.biz 208.100.26.245, 50019, 50028, 80 STEADFASTUS United States 35->103 105 xlfhhhm.biz 47.129.31.212, 50011, 50040, 80 ESAMARA-ASRU Canada 35->105 109 6 other IPs or domains 35->109 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->119 121 Tries to steal Mail credentials (via file / registry access) 35->121 123 Tries to harvest and steal ftp login credentials 35->123 125 2 other signatures 35->125 107 172.234.222.138, 49839, 49844, 49907 AKAMAI-ASN1EU United States 41->107 file13 signatures14 process15 dnsIp16 85 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 45->85 dropped 155 Antivirus detection for dropped file 45->155 157 Machine Learning detection for dropped file 45->157 159 Uses schtasks.exe or at.exe to add and modify task schedules 45->159 173 2 other signatures 45->173 58 powershell.exe 45->58         started        61 apihost.exe 45->61         started        63 schtasks.exe 45->63         started        89 s82.gocheapweb.com 51.195.88.199, 49771, 49926, 49953 OVHFR France 49->89 91 lpuegx.biz 82.112.184.197, 49770, 49777, 49925 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 49->91 93 5 other IPs or domains 49->93 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->161 163 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 49->163 165 Tries to steal Mail credentials (via file / registry access) 49->165 87 C:\Users\Public\alpha.pif, PE32 52->87 dropped 167 Drops PE files to the user root directory 52->167 169 Drops PE files with a suspicious file extension 52->169 171 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 52->171 file17 signatures18 process19 signatures20 135 Loading BitLocker PowerShell Module 58->135 65 conhost.exe 58->65         started        67 WmiPrvSE.exe 58->67         started        137 Antivirus detection for dropped file 61->137 69 conhost.exe 63->69         started        process21
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 09:22:05 UTC
File Type:
Text (AutoIt)
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ynk2bxnxxlvadcqpko7afwpxxdkefzrxvyhyuozpk7l62d4o23a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
error
DBatLoader
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/241120-lbwqfsvapa/
Behaviour
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Visual Basic Script (vbs) vbs d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments