MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e27129d1d44ca69f37a0eb4794edabca8cfdc3fad6d98acad30444d0d4a9bcb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e27129d1d44ca69f37a0eb4794edabca8cfdc3fad6d98acad30444d0d4a9bcb8
SHA3-384 hash: 8890b34966a7a8a449a3d0f04b3e7870a9724090cc2a9bdef838d5e8738c219091e939ae7ed74926bc228a8d0d2289d1
SHA1 hash: 25896c0a3d115d336170f85f511a764153b19611
MD5 hash: 3a4a8e556d731fbe6c0f3389655059e3
humanhash: skylark-cat-april-edward
File name:RFQ-3100035627.vbs
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'513'147 bytes
First seen:2025-04-30 08:17:23 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:J2TBSG6mYPSTi8DZUoOQ9oPL3BndIbDaX5T6SxatLLh0sI6hwGwg3ZYUKhpcGXPm:CeOZUNQ9ozBqb+03ZYUEftqXa2
Threatray 301 similar samples on MalwareBazaar
TLSH T17065AE71840EAE4E2B9F48D55418EBE04D243887B328DF57DC49A162D2F95F7A86C8FC
Magika vba
Reporter abuse_ch
Tags:DBatLoader vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5174/
Detection(s):
Sanesecurity.Malware.28953.VbsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6811e484c8b2e86d0ac50eef
Tags:
autorun valyria cobalt delphi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context dropper exploit fingerprint keylogger obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/6811dcbf212716475fb132c7/reports/542ed84c-2a4b-4a4c-a047-b59e67968345/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/e27129d1d44ca69f37a0eb4794edabca8cfdc3fad6d98acad30444d0d4a9bcb8
Result
Threat name:
DBatLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677975
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677975 Sample: RFQ-3100035627.vbs Startdate: 30/04/2025 Architecture: WINDOWS Score: 100 59 tredwqasdgghnbvgtredsw.ydns.eu 2->59 61 taqareer.tech 2->61 63 geoplugin.net 2->63 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 12 other signatures 2->93 9 wscript.exe 2 2->9         started        13 rundll32.exe 3 2->13         started        signatures3 process4 file5 57 C:\Users\user\AppData\Local\Temp\x.exe, PE32 9->57 dropped 115 Benign windows process drops PE files 9->115 117 VBScript performs obfuscated calls to suspicious functions 9->117 119 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->119 15 x.exe 8 9->15         started        20 Qbzmvirm.PIF 13->20         started        signatures6 process7 dnsIp8 71 taqareer.tech 162.55.232.49, 443, 49714, 49715 ACPCA United States 15->71 53 C:\Users\user\Links\Qbzmvirm.PIF (copy), PE32 15->53 dropped 73 Antivirus detection for dropped file 15->73 75 Multi AV Scanner detection for dropped file 15->75 77 Writes to foreign memory regions 15->77 85 2 other signatures 15->85 22 cmd.exe 1 15->22         started        25 SndVol.exe 4 13 15->25         started        28 cmd.exe 1 15->28         started        30 cmd.exe 1 15->30         started        79 Allocates memory in foreign processes 20->79 81 Allocates many large memory junks 20->81 83 Creates a thread in another existing process (thread injection) 20->83 32 colorcpl.exe 2 20->32         started        file9 signatures10 process11 dnsIp12 101 Uses ping.exe to sleep 22->101 103 Uses schtasks.exe or at.exe to add and modify task schedules 22->103 105 Uses ping.exe to check the status of other devices and networks 22->105 34 esentutl.exe 2 22->34         started        38 conhost.exe 22->38         started        40 alpha.pif 2 22->40         started        42 alpha.pif 2 22->42         started        65 tredwqasdgghnbvgtredsw.ydns.eu 172.245.244.120, 20908, 49718 AS-COLOCROSSINGUS United States 25->65 67 geoplugin.net 178.237.33.50, 49719, 80 ATOM86-ASATOM86NL Netherlands 25->67 107 Contains functionality to bypass UAC (CMSTPLUA) 25->107 109 Contains functionalty to change the wallpaper 25->109 111 Contains functionality to steal Chrome passwords or cookies 25->111 113 2 other signatures 25->113 44 PING.EXE 1 28->44         started        47 conhost.exe 28->47         started        49 conhost.exe 30->49         started        51 schtasks.exe 1 30->51         started        signatures13 process14 dnsIp15 55 C:\Users\Public\alpha.pif, PE32 34->55 dropped 95 Drops PE files to the user root directory 34->95 97 Drops PE files with a suspicious file extension 34->97 99 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 34->99 69 127.0.0.1 unknown unknown 44->69 file16 signatures17
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e27129d1d44ca69f37a0eb4794edabca8cfdc3fad6d98acad30444d0d4a9bcb8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e27129d1d44ca69f37a0eb4794edabca8cfdc3fad6d98acad30444d0d4a9bcb8/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 07:40:40 UTC
File Type:
Text
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jystuoujstj6n5a5ndzj3nlzkgp3q7223myvswtarcnbvfjxs4a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc
DBatLoader
937e801eb514b4f00dd260d699cd69247c1bf9b65f925c164704a16bbf8e5156
DBatLoader
9b00edc001610c6b5a2e2495226c8bdde0eec09e420964f996a1faefa71c404a
DBatLoader
ac4e313d582ab153491aa677a62883b70a2e8a907a009ace26e906712dda5e97
DBatLoader
b662371c1c5432f0afe379c120312a067671bbc44157971350df21d0c59e5cc1
DBatLoader
c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b
DBatLoader
c8c42ae2eaf33626062223dbafa0d63db32e52fddaccb86794368761784eac4e
DBatLoader
d81e8904bd7fe99cb71dca45476edd03b67f687c057c338fc8177784f151b34b
DBatLoader
ea7950a3761e0dbcf1c6e3e2a1167ea296d7986864a35bfd260bb6c0e00f4747
DBatLoader
error
DBatLoader
fa6ec12f35910f73e041be58cd4ac6b7b1ae836879e2960f6d38fc66e2f870c5
DBatLoader
+ 291 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/250430-j7clca1ms8/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks computer location settings
Executes dropped EXE
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e27129d1d44ca69f37a0eb4794edabca8cfdc3fad6d98acad30444d0d4a9bcb8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5174/

Comments