MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DBatLoader

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff
SHA3-384 hash:	b14d30312584ec1b6c049945745f33cc522ac2d16d5e3b7d774423d9ae424d283f61f0bcc722dd2fb7798b8e8ea7f51a
SHA1 hash:	e4429da9ceede2151052ca494f67358c1247c893
MD5 hash:	72d7655f057ccc74ae32386a854001b5
humanhash:	early-batman-mango-december
File name:	PI and payment confirmed pdf.exe
Download:	download sample
Signature	DBatLoader Create hunting rule
File size:	2'713'600 bytes
First seen:	2023-11-08 08:15:09 UTC
Last seen:	2023-11-08 10:42:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cd4c9aaa1a9827538687e74814589bd (10 x DBatLoader, 1 x Formbook)
ssdeep	49152:7xWIu4XYOtRwohuzcMwF5yNkr+eHlBJ/k2IDfA9RC0d3:7UIkOAxcMEyNkrzpDMe
TLSH	T1E9C5F132E15124F3D2724D3EEC1A56546836BE723C2C6643AFA73E6C1E352B476163B2
TrID	36.1% (.SCR) Windows screen saver (13097/50/3) 29.0% (.EXE) Win64 Executable (generic) (10523/12/4) 12.4% (.EXE) Win32 Executable (generic) (4505/5/1) 5.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 5.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	74f4d4d4cc8cdcc4 (12 x DBatLoader, 1 x Formbook)
Reporter	abuse_ch
Tags:	DBatLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PI and payment confirmed pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-11-08 09:31:04 UTC

Tags:

dbatloader

Link:

https://app.any.run/tasks/64e156ba-6c0f-44a9-a67d-55d059fdbac9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.8499.31332.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Gathering data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control greyware keylogger lolbin masquerade overlay packed replace

Link:

https://www.filescan.io/uploads/654b43da5f12cb0ef53b6b5f/reports/ab9655ea-b712-4094-97ef-9ef26c934b20/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

IEInspector Software

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cf9feedf-0eed-45f5-ae5b-21524f997d9e

Result

Threat name:

FormBook, DBatLoader

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1338882

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected FormBook malware

Drops PE files with a suspicious file extension

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Steal Google chrome login data

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff/

Threat name:

Win32.Trojan.ModiLoader

Status:

Malicious

First seen:

2023-11-08 07:44:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=65bajcsi4tixayoteo4fipnu4yiwhujxhgvzyghi2hefv3zmu77q._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader persistence trojan

Link:

https://tria.ge/reports/231108-j555wagb8y/

Behaviour

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

ModiLoader Second Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

b84daaf8a74ca536da7ec9c2a72d418ebe2db4462b99d7ee69fbc4713ffc8930

MD5 hash:

e943ba5fb84c37030c0daf907c79825c

SHA1 hash:

d393d513939c6a4b1e5fb2598ef14ed424fcb9e2

Detections:

win_dbatloader_g1

Link:

https://www.unpac.me/results/bc69734c-6b47-497f-8412-4612f33575c6/

Parent samples :

a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
f95d84bd16012696182588589d691c5eaa131d28b7dc53cad85d497d61dab85f
6b390b01eb98d6376430626d51e2745f1a4f57cf89b9b6cfb81f968d44af09c8
2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
e329d4fdf3557b00cfd9044dbd12048077fcb6f8cdbaf1553308e292bf6a3707
9fd26cbae8d741263a304f7532107d61d6e78b91a1e551dc2822131dc70eddc0
f76b8555effde0257cd4c22e62e7aeb3c4f055bac15cc24c46de1292fe7b034f
035f5ee40a4986872d3480fa5d5e96e4dd56c0d1b93cd77a82cadce3283243e7
c9f192e7d1592bfc56e3209da73bbf5fb8a5fbcfcc2d492dbdddfc60c77a1d20
af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650
4397154fc1574bb682c055e6c5cefd36155aa07928edce3593ef38cb975b1f0f
267f54dc36591c1746dba949c776e015c9c89be7a11f4c3ebf7ab0fb4510e0e3
129a9a2dbbd1c3f8c82b66d020ec59b82878ab94a30647902d80dbeb92f74878
4b45c80c13d9143811cacdda64ac2e4cab04fe6262e16cb813836fd244ff5b9c
13a14e45ca00f015b20954bfd7eed1a9eaf0a763da1d155e673e53d31821abb1
582cf4bb7c3f703cb6bbacd2bfa8a1d2f098ca11e0d0fddb8c1d8e812ddc2d69
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
e4fbd0f46d093579c855bf711e874a5ba4e6f3ea047ae5964a08bfb1e762d4f6
204d5541a347bee64224d392403286271bc2351c50101e89b19e896f1756b389
48b290c2bfc5741616cef2f1904acebfc3366cfc99388f075aeb26100881ea98
f45307b5999dab601bb6371d4617cb7378d352e234f1df11b5ba41d779a90564
7a79cdd88f52bd9acdbe1b312bf1583e09827d58b293f53a3d261a654dcfb1df
04f083fb8b7b8ff01c98b972859d03db4de185f81877e180317792e2361043cf
85ca618bef7b97885f9f8c83a5abcb5afcafe9b6ffc3db6893a0dcdd61f6a891
53ac3a6c6aa59e943cff071d3100d55d826268f96e2366ddad3b32fe8c9b98e2
771af3e897f1d32625cdc3cf41d76dcfd21ae27994b721ae6c7cb82bcb284789
b1ca8bbed94ba2690e722c88c1af75082b8a4abf9d7f70206f986746aaa0eae2
39b4aba5e8641981ee7c36537c71403e038895c5699f172498fb99f51f994b85
6b1c7f3b04daf1250db40b85131f39811315781ca521135b7648f453bfbe55cf
22e384543598c8f6d4b45b6d19c09f23e08429a89bb3fe580b368c8aecb9663b
f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff
7e0c562b58d5c2183c98af42b5ff6b6cee6d7d82ad89e773bf0ba9c7f67c04b4
14323b6d2d712b7cd421ca1f6c0d25343fbb7cb94144e338d7a042f0f421e3b7
96df4af7b51b4a03a7014169c0862ed5820d4326d217f5ef4e099c1667a8045d
c2f8b88850fcbc4df88e6708b12a265ed133ba04702f89ae9cf1da504c11bc6e
452fa0451a2bb4c555368aec8f070a3db895414d43e089af54431ebf89d50841
d9c05e4806384074097aabfbdd8965b3767d673f9032b06bed207fda7feccbd7
3ba6ce638dcb1c82a2d3096edcc46a1d5086b9233c4e8be471ba748af9d9b41a
b2a65a2aa1c5bed21112712762ddb73f254219e8037e57c984c1bcd65ad576a7
448a8114208fbb7d2e83c81d59bc262d6857937ec0bceeebda75ad978265b5dc
9dbe21429d77afca07940928b39d0e7c9d994ea9d10a651ccd5189d4522be1cf
cf9cebd5de732b485456f6de49e70b488fb4658c48af572b16b6b2943dfadd50
214d29953c8211d48c06ce4e16239920b4ed1e148428a9165dcfe184fd6ab619
2a347e81537122aca6656bd41eab07d8abd57d85684e71c877650c96963f9123
8282976c399101d48a2f46771f768d37f4de4124d00f4ba8f01d63d6ef935c1a
c016c2649684722dc1e308e080f1739f3314927b3c022f63ad7da9caacd79a63
ea854ab77631dbf87f8a69de2f865d33751dcd3fe5b0284c38e12de2f471a9a4
1868a740c4a9ad3f6df9ee149c74de5744e3488faa33bf3c9811882fbb5d76af
c6e6d9dd75af4dd8ec008e9dc75688b0325d31c822eef311783feaffff7c0dbb

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/bc69734c-6b47-497f-8412-4612f33575c6/

SH256 hash:

d0b17d550b40aac5b21b78e2ef90f7d8878b582346cc8378446b99b69fa87f38

MD5 hash:

37ab311556b247bcaf89c14daecffce3

SHA1 hash:

32bc25cb35eb4d65d3a7485a9ec5c28603ad3735

Link:

https://www.unpac.me/results/bc69734c-6b47-497f-8412-4612f33575c6/

SH256 hash:

f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff

MD5 hash:

72d7655f057ccc74ae32386a854001b5

SHA1 hash:

e4429da9ceede2151052ca494f67358c1247c893

Detections:

DbatLoaderStage1

Link:

https://www.unpac.me/results/bc69734c-6b47-497f-8412-4612f33575c6/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f742048a48e4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DBatLoader

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DBatLoader

exe f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample