MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d63fafb306b46296ec8c307006db98df532dc97118eaa0ba1c56252ad580d9fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d63fafb306b46296ec8c307006db98df532dc97118eaa0ba1c56252ad580d9fc
SHA3-384 hash: dece6c1caa551beb89e73bded1d1d1b52a305749351fe249ee266d013d21350b34284b0081c6be5161deb43326858fab
SHA1 hash: f558f57ba70b768c1c75ba28c4a76c1325035a51
MD5 hash: 76196f5adce2db1039bdb8501f8f29b7
humanhash: princess-robert-cup-double
File name:purchase_order_u83784899.cmd
Download: download sample
Signature DBatLoader
Create hunting rule
File size:5'189'751 bytes
First seen:2025-02-20 08:03:26 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/x-msdos-batch
ssdeep 49152:A7CJataVd8mZSYerANLkDMUqxog5hVtvT2Cjq6S1Loj:X
Threatray 18 similar samples on MalwareBazaar
TLSH T1593645F7377D3AA3024E372BBA0EB1894F9AC92965A7FDC019C101DD1107A4E79E0997
Magika batch
Reporter Anonymous
Tags:cmd DBatLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
PL PL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.11244.3713.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b6e286a0fd713c335c0951
Tags:
delphi shell sage blic
Verdict:
Malicious
Labled as:
Trojan[Dropper]/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/d63fafb306b46296ec8c307006db98df532dc97118eaa0ba1c56252ad580d9fc
Result
Verdict:
SUSPICIOUS
Result
Threat name:
DBatLoader, MSIL Logger, MassLogger RAT,
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1619748
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Registers a new ROOT certificate
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619748 Sample: purchase_order_u83784899.cmd Startdate: 20/02/2025 Architecture: WINDOWS Score: 100 83 reallyfreegeoip.org 2->83 85 checkip.dyndns.org 2->85 87 checkip.dyndns.com 2->87 117 Found malware configuration 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Multi AV Scanner detection for submitted file 2->121 125 16 other signatures 2->125 11 cmd.exe 1 2->11         started        13 Luvbfizi.PIF 2->13         started        signatures3 123 Tries to detect the country of the analysis system (by using the IP) 83->123 process4 signatures5 16 rdha.pif 1 11->16         started        18 alpha.pif 1 11->18         started        21 expha.pif 1 11->21         started        26 7 other processes 11->26 141 Multi AV Scanner detection for dropped file 13->141 143 Writes to foreign memory regions 13->143 145 Allocates memory in foreign processes 13->145 147 2 other signatures 13->147 24 izifbvuL.pif 13->24         started        process6 file7 28 ANYDESK.PIF 1 8 16->28         started        103 Uses ping.exe to sleep 18->103 105 Uses ping.exe to check the status of other devices and networks 18->105 32 ghf.pif 3 2 18->32         started        65 C:\Users\Public\alpha.pif, PE32+ 21->65 dropped 107 Drops PE files to the user root directory 21->107 109 Drops PE files with a suspicious file extension 21->109 111 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 21->111 113 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 21->113 115 Tries to steal Mail credentials (via file / registry access) 24->115 67 C:\Users\Public\rdha.pif, PE32+ 26->67 dropped 69 C:\Users\Public\ghf.pif, PE32+ 26->69 dropped 71 C:\Users\Public\expha.pif, PE32+ 26->71 dropped 34 PING.EXE 1 26->34         started        37 ghf.pif 2 26->37         started        signatures8 process9 dnsIp10 73 C:\Windows \SysWOW64\svchost.pif, PE32+ 28->73 dropped 75 C:\Windows \SysWOW6475ETUTILS.dll, PE32+ 28->75 dropped 77 C:\Users\Public\Libraries\izifbvuL.pif, PE32 28->77 dropped 81 3 other malicious files 28->81 dropped 149 Multi AV Scanner detection for dropped file 28->149 151 Drops PE files with a suspicious file extension 28->151 153 Writes to foreign memory regions 28->153 159 4 other signatures 28->159 39 Luvbfizi.PIF 28->39         started        42 izifbvuL.pif 15 2 28->42         started        45 cmd.exe 1 28->45         started        47 cmd.exe 3 28->47         started        155 Registers a new ROOT certificate 32->155 157 Drops PE files to the user root directory 32->157 89 127.0.0.1 unknown unknown 34->89 79 C:\Users\Public\ANYDESK.PIF, PE32 37->79 dropped file11 signatures12 process13 dnsIp14 127 Writes to foreign memory regions 39->127 129 Allocates memory in foreign processes 39->129 131 Sample uses process hollowing technique 39->131 133 Allocates many large memory junks 39->133 49 izifbvuL.pif 39->49         started        91 checkip.dyndns.com 193.122.130.0, 49731, 49737, 49741 ORACLE-BMC-31898US United States 42->91 93 reallyfreegeoip.org 104.21.64.1, 443, 49739, 49740 CLOUDFLARENETUS United States 42->93 135 Detected unpacking (changes PE section rights) 42->135 137 Detected unpacking (overwrites its own PE header) 42->137 139 Tries to steal Mail credentials (via file / registry access) 42->139 52 extrac32.exe 45->52         started        55 ndpha.pif 45->55         started        57 conhost.exe 45->57         started        59 conhost.exe 47->59         started        signatures15 process16 file17 95 Tries to steal Mail credentials (via file / registry access) 49->95 97 Tries to harvest and steal browser information (history, passwords, etc) 49->97 63 C:\Users\Public\ndpha.pif, PE32 52->63 dropped 99 Drops PE files to the user root directory 52->99 101 Drops PE files with a suspicious file extension 52->101 61 conhost.exe 55->61         started        signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d63fafb306b46296ec8c307006db98df532dc97118eaa0ba1c56252ad580d9fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d63fafb306b46296ec8c307006db98df532dc97118eaa0ba1c56252ad580d9fc/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-02-19 19:10:17 UTC
File Type:
Text
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2y727mygwrrjn3emgbyanw4y35js3slrddvkboq4kyssvvma3h6a._file
Verdict:
malicious
Label(s):
unknown_loader_001
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
DBatLoader
1b934dccc814a0d5248fa34256f192fc6e97bd322e23876bc5c751a11d0b1ed0
DBatLoader
518d9aeaf075a297467fbd6962f4a04f7f256680f9b506b4e4b51b67c185b365
DBatLoader
820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
DBatLoader
829c1085c285c81e564ad392ff0b37622ae962a08e237a68f8960f9ddf1eac2e
DBatLoader
8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4
DBatLoader
a8ad0cb7c6c4d332bc50ca8af649af8877555a79e0d4d1df3cad1ea68acd26fb
DBatLoader
b53b26656933d4ccf3c6665d5ca45ea9e9db1463bd96aa1c0a372b658db23574
DBatLoader
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
DBatLoader
error
DBatLoader
f72ebfe6f11291393acec156f0f73b1eb5abf74761d5de8dd7b55839542c56af
DBatLoader
+ 8 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader collection discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250220-jycvraznfw/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d63fafb306b46296ec8c307006db98df532dc97118eaa0ba1c56252ad580d9fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_DbatLoader
Create hunting rule
Author:NDA0E
Description:Detects base64 and hex encoded MZ header used by DbatLoader
Rule name:dbatloader_bat_v2
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments