MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758
SHA3-384 hash: 3847040f2222ba52d4ce8605686610c6a58458ff69616a95b426fc6c229b2d9cc949e1272fbf7ae8f71a5540fd58da95
SHA1 hash: 448c2ecfa8c9e6dee13117057b84d3a904976cba
MD5 hash: ba1bc5ca8f81584f3c489ad509126ffa
humanhash: uniform-arkansas-pip-nevada
File name:Bank. swift.11102021.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:858'624 bytes
First seen:2021-11-10 13:17:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6599433acf61f1c88984fba723943740 (4 x RemcosRAT, 3 x DBatLoader, 1 x Formbook)
ssdeep 6144:dSYSrAc6N5eZONdMKjkSBoadoV6FXXb0TsdwCTmCaAu5OwlhdbpoOGZy6hY0Bb3l:HwAc6NyAFPXYIdI7Owlxn61o6
Threatray 11'120 similar samples on MalwareBazaar
TLSH T15D057D32E1541A39D4572B3848AF177866B87D203E2249825F9B7D458EF3282397FF4B
File icon (PE):PE icon
dhash icon 0c323272b98ca6d9 (5 x RemcosRAT, 3 x DBatLoader, 1 x Formbook)
Reporter malwarelabnet
Tags:DBatLoader exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204720/
Detection(s):
SecuriteInfo.com.Artemis6DD19A01D972.488.23278.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/618bc68fdec3347825a13803/reports/4040f79e-7173-4436-ad2b-bf48c457be1e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/840bc50c-161c-4301-a90e-d9c0379801ea
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886722
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-10 08:12:39 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3b3br54eanqubda32mmkdf3xctpnzczum2cjq2cc4dzszxeu65ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3da43dfd3613eeaf2ed56f10624f2dabdb80948c842c98fd0e26688fe55728a7
DBatLoader
4768bc4db58542167ce61a3e0a78bfaa79a3b7dee0b54a587886545ed83a13f7
DBatLoader
4d80ab79360b092bb5d8fa41d14388dffe5ef42839b6dbbf741f0ce5c3424d1e
DBatLoader
6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751
DBatLoader
87946dcd976eb13af37e24ff68e36a03d2f46a9ae474f336207cf03cbbb0b508
DBatLoader
8bc32885f532e286073afa7781733d97338f3bab7b22f55680b38fe1926d103b
DBatLoader
b6788527f99a436b0e8925eb14c8800ced61fd406edd4182aa00072b3f74f39e
DBatLoader
c839e1036e4c8c7568d66cfb7c269ab8ed8048f9fc5a89464d82572a6efc1c28
DBatLoader
caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08
DBatLoader
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
DBatLoader
+ 11'110 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:3nop persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/211110-qjyl8shag7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.jakesplacebarbers.com/3nop/
Unpacked files
SH256 hash:
884d99b457e14d78d737b3ac26748c6a4aa834de2317acbe0fb87fcb5d23f65e
MD5 hash:
422adab412b2bc9eda31361e676cb23a
SHA1 hash:
0f23391f7d7c36b4623f33f4046c009344221b2d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/e08740c9-61de-43df-936e-72303a0c3b9f/
Parent samples :
0593cdcb398c7b41a48babc22d84ede200329ced43988cd5695ee43ef806a314
1fc33c4cccbeac1f2a0a7a4145ab2248848d349ec89f0594a564aa6ef7704a89
e6729c12a687adf7245a883c5443a07a3cb01b22eb00484f96a63ccc9c3206e3
907e137a557e977c328f24618862f46dc2c508fad2568d4c171ba4e4cc42e8da
ef2754157037c661f6acf043f9af565be640a4bf7cc569fd38ae605c919e60e3
5e04368cce9500421ade8062e6c27a7ce3c027d2cb8538b7b0d4515823c6e491
74825f8f5dd7d626ff09e1805dc75ecdf92271b8d2148a9bbc8f5cb01b56703a
c8d54eac34afd28839ae109f0813ed54f21ee9d17a8ae54e5b12a11ec9250999
8a25ceb505dd2a4edf42f9be624def15d5f501c0dfebd0f8ed53b7ada0c56df4
d758edb6fa48c621458fd03dfbf78c5ac5df1dc26e749341dbdd588f3bd1ed30
918f98e66f1aae5bebe260cd5ddb4336318dc9a4193f130ac680ce3847bdfa9f
745918c719c623204c2c339cc9c2073260f833c4082d15bcb890a6848d872b71
04c53261b1220a894a02f5ffb39cdfd73f93481c0b5c8106d21c91b20205c62d
045a680f5cff3aa889bd6e366a1445dc6c9f066b6601ba69f973c77cf37a5bd2
284d63bee40558dcdd96057cbc0a07fba210b2de0111da57530ff2083d0d57f9
3ccb4131b2f8cf9a54cf003e6d29e841d83425aaa3b1c2fcc1bd253e855ff106
9a476d9eaca8d1c370dd3b25a1b99fd202321df9ef39e1254ddf6170d29e700c
75d58f5b4293ffc19d29586f96508fe473b3688503ab75a9fecf8b280af3b55a
41d511392fc1e9e37a96d7e0d1e2a947d3de3da299d1a0fab9f522b98e38b659
3f9fd47a1850bb51e06ce78cabb32d839b4d4f68daf028aa0465d7cb85099b1a
f26f9e3fccab0e855f132f00715cfdbaa9efbbc923fc702961d826987d7c15aa
51480df228e943d128557273a4b3f6917ced7ddc84210fafb9054459f5303757
d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758
9f1a46f25ff46ddc69bb64b4bffbf628e41eb6c4820c617bfb06fd287e8cd08a
eaa933474582c1c4544da0f4d1f8e53e4b54937b8fa147ab9f88af2e1371477b
9f87aa938179953b88e6d47d4f2d07f82ec683a90ff0d77d8f50ad67ab55ad89
2ff7e6416c11b63082a3be7e742dff8da9fe4e174103d3034c7dc1e897f58b8c
7e7b60d769a5b99a90bd993f08a8b9175273e35d9447f91da28e61b05a746a99
480f201b5183d8ddf826462569bcf719750368df95907ee93aa3fe3cd8212acf
c9fad97fbc7d306ae0a8b6ba457d295786934e6580b279e40ab2ca7ad5bd818c
d544f115e860d3282bd996d7b12ac92c10097d68d135667cca0f847ca754f8ef
6ca5731b4511041dfe859ec3c1739ae2e1b1485481229e40446c9cdb58fd04e7
387e7195e10a2add7c9dce1051be7520ed0fa188794a710eea6a43845a36ce4a
677890096bad46b0e589094bc7bf25ec5ce8f54161422548da6a253dd387655d
cc387181593d803a367fcf95d0ed8ca7929d0c5b383c4d960f5a44d4cadb2c4f
0c5302d501f9872ff027d1486416daceb8a5b9af7eefb6268fd78d38bb6c8b37
84c89b2859b386f60a109593eeb9068e52b10f435872d2e7abe76bffb4e9d564
d0d6952f4459c50159f7a9142da641df17cae7dc758c9a34bdcd19765bea37bc
b88385613d90ebbd240b11a3847fc2117c0d832fdf7a3c45f1ed68692ed68038
ad4419aaf4f9f6eb21b32e26972b15edffd65e794eccbb85819701894da33a3a
8432944d28cd034b5fa922a2bec2f1b16f9df5de133d51437096d3c321d130af
4b376277cce9c1e365afb51b78046354176a443b45bb6bc123a3ea69710c6c65
955e25e69ec794dcd2a45b79f3eeecf71c734eb675e8a3e14691bbc8fbca5f52
cc2894394da12ab098b78a9ca9fa5c462f294a6c678d584d6d283c6d436d88c4
d9acad219b9fa52e4258fafd8c85b9e473b8f99435f4d9af4dbb953fae94a17d
c0e8dcedbd14b2822b8a673edef16a50fecb54ebbef846532cd6cf78da1127d6
76e7e27f4fcf15610764d121949f84e3b415376bfc5e88c08d85b613013ba87f
48667ddc42d9eadc23dddc65f60f0de6e58afb6857953f282f7b02c115e9eed4
fd74ae5599070fa447bf1f0451a88673f3b0a6285dbc69ecae11d6ec7cedbdf4
92f3596778824929bff1a64b43bc00c97f229de8d136dd6751a4972bba237bf3
2a8e3c217313095f5159adee7d90a5a2e0f1db12cb8977d9e073086ea0b62f21
d89aec551f2358a723b7419c767a401daf6f62fc22f20edacdbf0e6851c99c3f
51cf8bad7a9dfffdab43a17761c29b9d1bd1004675a4e9fa6965e5430a6e371b
8968808899b3e810e675fc87e6ff0f61c82b444183fd7f8febdb276eee05e683
7212dd968ce2504f6835fb5cdcc868f9315ba35ce8f4e1162fc6fe339271a27b
71f1357b11f35eef18854a9a7c33b65ce665b2b150ae5dd79aeaefc2691e9849
2495bc16feccab6c1e1a151993ca42fdb98caa81f11d5933226bf1f72bf7bf70
d888524b5e84e5afdfd32a627b1a5c5b55f04a72440d0260b8e430324c023009
62f36cc4ec3591ca9db78a063f6f215746f453f1181c64c0adda032ea86c53fd
1fbca7154111316e9d34ac02beb2377d20ca8426cc83669c89313a4a83358503
8d94a03c55cbee95ae76109eb888c7d86c02643059eed45234743f5bf30f9874
3da0a121182f06ffdc6e8305f04b89aa2bf57ef24befa9717b0bf3c138918339
2090f5fcafd8bc1938e4ddd869d911e1a89ac529ba984d914cc2f98fadcbc658
SH256 hash:
d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758
MD5 hash:
ba1bc5ca8f81584f3c489ad509126ffa
SHA1 hash:
448c2ecfa8c9e6dee13117057b84d3a904976cba
Link:
https://www.unpac.me/results/e08740c9-61de-43df-936e-72303a0c3b9f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d87618f78403/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204720/

Comments