MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de2924e0b41f3ead65900156974f3048ad41886489c95e01064b5b0885781ecd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de2924e0b41f3ead65900156974f3048ad41886489c95e01064b5b0885781ecd
SHA3-384 hash: 8717e62cc148d8fde61f851082695b03ed8b2848c59aafa2692117340cc0744f3d935351d1119e35350db95470f1da56
SHA1 hash: c0e48076405836c8f2149aaf9eda88b5db4b27a0
MD5 hash: 2e50494b11b533c4048a392440b8be39
humanhash: asparagus-alanine-carbon-december
File name:LPO-pdf.JS
Download: download sample
Signature DBatLoader
Create hunting rule
File size:7'606'122 bytes
First seen:2025-06-24 15:09:29 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:4NYV+AMiLNA5QNuD/sGrZV5AofDr5CVhh5mVOOdAzhnXKEbN9v66cUOGgGYGVm1+:b
Threatray 1'111 similar samples on MalwareBazaar
TLSH T12D76AD8E8D0FF7473092DFE06A88B99AE03B66831B112A7074DC4D0AB75DE5B1CDD658
Magika javascript
Reporter abuse_ch
Tags:DBatLoader js

Intelligence

File Origin
# of uploads :
1
# of downloads :
422
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685abff1b06783b9ebd6d645
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug dropper entropy evasive fingerprint keylogger packed
Link:
https://www.filescan.io/uploads/685abff13faf8fcd7d3f5f09/reports/b49ad196-eaee-4d2a-9468-61f28217a6c4/overview
Verdict:
Malicious
Labled as:
Generik.CCTBIGC trojan
Link:
https://www.hybrid-analysis.com/sample/de2924e0b41f3ead65900156974f3048ad41886489c95e01064b5b0885781ecd
Result
Threat name:
Remcos, DBatLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1721975
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Remcos
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1721975 Sample: LPO-pdf.JS.js Startdate: 24/06/2025 Architecture: WINDOWS Score: 100 43 irritaspec.xyz.parsvana-grp.biz 2->43 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected DBatLoader 2->63 65 10 other signatures 2->65 9 wscript.exe 1 4 2->9         started        13 rundll32.exe 3 2->13         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\HEO.PIF, PE32 9->33 dropped 35 C:\Users\Public\Libraries\amsi.dll, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\Temp\amsi.dll, PE32 9->37 dropped 77 Benign windows process drops PE files 9->77 79 Drops PE files with a suspicious file extension 9->79 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->81 15 HEO.PIF 3 9->15         started        19 Dncjppca.PIF 13->19         started        signatures6 process7 file8 39 C:\Users\Public\Libraries\acppjcnD.pif, PE32 15->39 dropped 41 C:\Users\Public\...\Dncjppca.PIF (copy), PE32 15->41 dropped 47 Drops PE files with a suspicious file extension 15->47 49 Writes to foreign memory regions 15->49 51 Allocates memory in foreign processes 15->51 53 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->53 21 acppjcnD.pif 4 15->21         started        25 cmd.exe 1 15->25         started        55 Sample uses process hollowing technique 19->55 57 Allocates many large memory junks 19->57 27 acppjcnD.pif 19->27         started        signatures9 process10 dnsIp11 45 irritaspec.xyz.parsvana-grp.biz 198.23.227.212, 2404, 49691, 49693 AS-COLOCROSSINGUS United States 21->45 67 Contains functionality to bypass UAC (CMSTPLUA) 21->67 69 Detected unpacking (changes PE section rights) 21->69 71 Detected Remcos RAT 21->71 75 5 other signatures 21->75 73 Uses schtasks.exe or at.exe to add and modify task schedules 25->73 29 conhost.exe 25->29         started        31 schtasks.exe 1 25->31         started        signatures12 process13
Score:
83%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/de2924e0b41f3ead65900156974f3048ad41886489c95e01064b5b0885781ecd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de2924e0b41f3ead65900156974f3048ad41886489c95e01064b5b0885781ecd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-24 13:08:53 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yusjyfud47k2zmqafljotzqjcwudcderhev4aigjnnqrblyd3gq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
247d6d1179ccbf509dc97a8cc40533f386c90104be00aae10629f2ad962a50a6
DBatLoader
2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f
DBatLoader
506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6
DBatLoader
581839491509f10044d68d1c5695a489a317a332517d7b4d640fea83096bad81
DBatLoader
c39f34c2541a3b808efabac95b5f7182b38f1f5a49cfc1037d53a89c527ed376
DBatLoader
ecd6819d5dbfda11e65380a6fc01db1714ccb8d8ab271c18e3ecd6eed04722b4
DBatLoader
error
DBatLoader
+ 1'101 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250624-skcr9sdr4t/
Behaviour
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/de2924e0b41f3ead65900156974f3048ad41886489c95e01064b5b0885781ecd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments