MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DBatLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8
SHA3-384 hash: d7678cc8d9bca57b3409af2aa6ca986f65292d52774cdec69047d4d7ebf16a28d09736afb006846b08769e04ae24fb1c
SHA1 hash: 6767a2820de6a50484cf9b7d026950c8da955c5b
MD5 hash: 08d0a5b9e8a24e44e1435cfa2ac74112
humanhash: fruit-happy-jig-texas
File name:87667.exe
Download: download sample
Signature DBatLoader
Create hunting rule
File size:1'612'800 bytes
First seen:2025-03-07 15:23:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4eda5f2c6be552ff0151d618e2ef7eff (1 x AsyncRAT, 1 x DBatLoader)
ssdeep 24576:TQXG4B52HnB8zcdFgvVM7hUpn2KjVfwkfOZBzlQYQlngb2T0UW:T+AiyFaS72dBfwk2Zxlyntw
Threatray 61 similar samples on MalwareBazaar
TLSH T1A875D02273A0453AC6931B749C0A529F5425B92C7E286D367EF43FDC1E71282682DDBF
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 308c91dcaaaa8530 (2 x DBatLoader, 1 x AsyncRAT, 1 x RemcosRAT)
Reporter abuse_ch
Tags:DBatLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f23e07aa693f0fe68b22a4889faa67da01718cc8f8165160a269582019a3f2fa
Verdict:
Malicious activity
Analysis date:
2025-03-06 10:35:33 UTC
Tags:
arch-exec delphi dbatloader loader stealer evasion
Link:
https://app.any.run/tasks/189984c6-32cc-4d33-ad43-5200e3b877ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c97a75c8d04e92a4bf5a2a
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d173108-ac99-474a-8548-324ef9954d90
Result
Threat name:
DBatLoader, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631914
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected DBatLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631914 Sample: 87667.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 38 showip.net 2->38 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected DarkCloud 2->54 56 3 other signatures 2->56 8 87667.exe 1 8 2->8         started        12 Pijyvykt.PIF 2->12         started        14 Pijyvykt.PIF 2->14         started        signatures3 process4 file5 32 C:\Users\user\Links\tkyvyjiP.pif, PE32 8->32 dropped 34 C:\Users\user\Links\Pijyvykt.PIF, PE32 8->34 dropped 58 Drops PE files with a suspicious file extension 8->58 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->64 16 tkyvyjiP.pif 15 8->16         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Sample uses process hollowing technique 12->70 24 tkyvyjiP.pif 14 12->24         started        26 tkyvyjiP.pif 14 14->26         started        signatures6 process7 dnsIp8 36 showip.net 162.55.60.2, 49682, 49683, 49684 ACPCA United States 16->36 40 Detected unpacking (changes PE section rights) 16->40 42 Detected unpacking (overwrites its own PE header) 16->42 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->44 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        46 Tries to steal Mail credentials (via file / registry access) 26->46 48 Tries to harvest and steal browser information (history, passwords, etc) 26->48 signatures9 process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-03-06 10:35:35 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dqtep5xy53ehwf7nxzqewpqbpzknnki2uzmjyg5x4jeeuwxsl4a._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
093f9c611518f42f00826d8134b4860080b690678b27a469a33a529f7706b87f
DBatLoader
36f19ccdfa20772ebeb1c2a89e0edd174465f5ac697323b4ab05c2a46ec1a1a7
DBatLoader
39c0a473f81e896be3788cf688247193f2f59249e3186d09afab08c5b17fdebe
DBatLoader
49ac8f158943c6dc683a74e3129b6d3a146fb853f51ea42207038fdadaf641bd
DBatLoader
64f5db0e506c5eb6e017743991cdc6d015737d6776100b0a9906f0256e42ee6f
DBatLoader
8c4334177584d7aee981ada042ff60124cd81a2e51e7c1514f7e2dd22f9335b4
DBatLoader
error
DBatLoader
f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8
DBatLoader
fa03da1f02ff38f19efbe7344740a83755b04fb3561bc61ae14e5c5ab91d01b6
DBatLoader
+ 51 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery persistence trojan
Link:
https://tria.ge/reports/250307-ss4kysspy8/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ff0c4aea-f3c7-46d7-91fa-8448c9149ce9
Unpacked files
SH256 hash:
f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8
MD5 hash:
08d0a5b9e8a24e44e1435cfa2ac74112
SHA1 hash:
6767a2820de6a50484cf9b7d026950c8da955c5b
Link:
https://www.unpac.me/results/44e596f9-d702-44b0-92e7-4ed07b7c8269/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DBatLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8e1323fb7c77643d8bf6df30259f00bf2a6b548d532c4e0ddbf124252d792f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Generic_Threat_d7b57912
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryW
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments