MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d89aa8d0136cf505415fa2e91f997e1f21e955a49a90955dd36d28a9f6236b55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	d89aa8d0136cf505415fa2e91f997e1f21e955a49a90955dd36d28a9f6236b55
SHA3-384 hash:	3fd551ee73aea3c64b9a1e8b637124f264c84eb192b3d04ab84ef04f894bb88234898f05787941b712b36c6c96dc6842
SHA1 hash:	2b398bb4021d26edeaedd9b5027ac82644d58fd9
MD5 hash:	9f13454ab499608b61262d3885ae078d
humanhash:	quebec-potato-xray-steak
File name:	file
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	4'056'080 bytes
First seen:	2022-09-21 17:37:29 UTC
Last seen:	2022-09-23 19:07:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	df3e1656cd8b73f69c6c425a893cf5d3 (1 x DBatLoader)
ssdeep	49152:sIP6s88zMskRUnY2gfvJL5+3vG6efJ0ZnSz6/hs0QzR+/aN:sIBTkRUn7gfvP+3enRai6/UN
TLSH	T1C3168CE63686D9EFC2062C38E90DC947D528DFF562444909E8D8FC3DAF22D692383756
TrID	40.2% (.EXE) Win64 Executable (generic) (10523/12/4) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 11.4% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 7.9% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	820092c6b6014480 (1 x DBatLoader)
Reporter	andretavare5
Tags:	DBatLoader exe

andretavare5

Sample downloaded from https://vk.com/doc710354602_652348275?hash=ZDZKwn5dhlQPQziWxmPPdyInoqPA70yuJza9SUFWk7g&dl=G4YTAMZVGQ3DAMQ:1663781492:ct2mviflFzRZc1RAhD68Zj2BCnfcbyKdeQKUDSEUTcc&api=1&no_preview=1#galaxy

Intelligence

File Origin

# of uploads :

# of downloads :

296

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-09-21 17:40:40 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/cbd66dcc-8574-4889-b683-d8336932aeaf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312107/

Detection(s):

SecuriteInfo.com.Trojan.Siggen18.41399.10682.20218.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file in the system32 subdirectories

Creating a file

DNS request

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/632b4c57397677696539a3e1/reports/1a878680-a0ae-41f1-918c-a2540d408650/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8856f1ff-8490-4201-93a6-129afa9f1ce0

Result

Threat name:

DBatLoader, RedLine

Detection:

malicious

Classification:

troj.expl.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1074789

Signature

Contains functionality to inject threads in other processes

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Yara detected DBatLoader

Yara detected RedLine Stealer

Yara detected UAC Bypass using ComputerDefaults

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d89aa8d0136cf505415fa2e91f997e1f21e955a49a90955dd36d28a9f6236b55/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-09-21 17:38:15 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3cnkruatnt2qkqk7ulur7gl6d4q6svnetkijkxotnuukt5rdnnkq._file

Verdict:

malicious

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/220921-v7prfscddm/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

ModiLoader Second Stage

ModiLoader, DBatLoader

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2873f2f1-7783-40e6-8475-92a189afaaaa

Unpacked files

SH256 hash:

0d83381a85ed5b84c22d4c4d2e7b321e0bf6d4b99b75ffe7f1fc0a88a8b67fc2

MD5 hash:

37915e9ca62e3993fe4c6fa848aa2e4c

SHA1 hash:

c4adac1b54de33c48e5b4810b0a09346a47b0bc2

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/203e2b87-45a2-4911-9909-caf6f6615629/

Parent samples :

96c1db348aa67b1fae276b04f213b50936fad0e044042b6c43a7d2c8f15d4c1c
64a0e626369c7eb1c297fb21585ad71edea012db8e8f415328800cbc9bbf1de1
69030d7bb20e05dc3730aaf09d6815c2b5d46fe8ada819cc4c90e1e37fb173a6
d89aa8d0136cf505415fa2e91f997e1f21e955a49a90955dd36d28a9f6236b55
9edb5884eb282a8c920ddd9ea25983df592b8a5dce6dbe36796f83a5076ac4db

SH256 hash:

d89aa8d0136cf505415fa2e91f997e1f21e955a49a90955dd36d28a9f6236b55

MD5 hash:

9f13454ab499608b61262d3885ae078d

SHA1 hash:

2b398bb4021d26edeaedd9b5027ac82644d58fd9

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/203e2b87-45a2-4911-9909-caf6f6615629/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d89aa8d0136c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.76

Link:

https://yomi.yoroi.company/submissions/d89aa8d0136cf505415fa2e91f997e1f21e955a49a90955dd36d28a9f6236b55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/312107/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample