MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f37632331d0498e3ca7719a0e93310621bc3427bd8fec2fdd689b85be9ae5b6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f37632331d0498e3ca7719a0e93310621bc3427bd8fec2fdd689b85be9ae5b6b
SHA3-384 hash: 8446830de978708d5bf71d8faac72234ced2c7e9df7e90cbafec21a1883a80afd5d4379a46ee735965473d63ddd1aa27
SHA1 hash: c972beb0743a87cf753f011b345867e219c53827
MD5 hash: 0571e974065e0062ce31e81fe789346e
humanhash: undress-paris-wisconsin-snake
File name:IMAGEDocumentsDOC0559DOC0302732112202135JIH.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:751'616 bytes
First seen:2022-07-20 06:52:05 UTC
Last seen:2022-07-20 07:59:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1fe30710cd81c908b0878e166e653d4 (2 x DBatLoader, 2 x RemcosRAT, 1 x Formbook)
ssdeep 12288:mDVyc7hRZ/ksbXlwv/qcAD/reQynzySzQrtVSX3x7FRSRjAf2rDNtl2aCHVVfHg:O9j1ksXev/qcADPyzySzWtVSn52pAf2s
TLSH T1C0F49D36E2F0CE36C1AA097F5D5B72A65C2C7E202D29F94A6BD5394C1FF974025282D3
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter lowmal3
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/292740/
Detection(s):
SecuriteInfo.com.Variant.Zusy.433412.11119.31541.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26824/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed
Link:
https://www.filescan.io/uploads/62d7a668ef2b0e63a828d3c6/reports/943f163a-2e7e-46c4-9ff8-3741a2fcb087/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dcd5844a-2047-4b64-96c9-8724b523f837
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1037424
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f37632331d0498e3ca7719a0e93310621bc3427bd8fec2fdd689b85be9ae5b6b/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-20 05:28:07 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6n3demy5asmohstxdgqosmyqmin4gqt33d7mf7owrg4fx2nolnvq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:remcos persistence rat trojan
Link:
https://tria.ge/reports/220720-hnmfrschb4/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
ModiLoader, DBatLoader
Remcos
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/3ad74afd-5f0b-43f0-9068-14ef51c57905/
SH256 hash:
f37632331d0498e3ca7719a0e93310621bc3427bd8fec2fdd689b85be9ae5b6b
MD5 hash:
0571e974065e0062ce31e81fe789346e
SHA1 hash:
c972beb0743a87cf753f011b345867e219c53827
Link:
https://www.unpac.me/results/3ad74afd-5f0b-43f0-9068-14ef51c57905/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f37632331d0498e3ca7719a0e93310621bc3427bd8fec2fdd689b85be9ae5b6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

Executable exe f37632331d0498e3ca7719a0e93310621bc3427bd8fec2fdd689b85be9ae5b6b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/292740/

Comments