BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DBatLoader

52
Global rank
11 infographic chevron month
Month rank
13 infographic chevron week
Week rank
950
IOCs

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Loader
Type
Unknown
Origin
1 June, 2020
First seen
28 February, 2024
Last seen

How to analyze DBatLoader with ANY.RUN

Type
Unknown
Origin
1 June, 2020
First seen
28 February, 2024
Last seen

IOCs

Hashes
12a6da87085c2249e4e5fc9a0f1f381e1fc723577d80fe80d6f905965bf56e89
f7c19fad7e83a28e8d2d9597e4e897ff930e41dc4abab0c20ba828b60b90db67
9a58cfffad0cd6dc31da5ce2d58da98c35d0e6be3461db38b78fe11692bb37a1
c4ec6438a210e79f2a9404833a59fa0ecf9bfe9c27e0e31ef84ee0b65a81a83c
70d96c94df50bdde7114a022880f0cb0be3a671e5952e4e007af121f3b01e7a2
7c456eb1dd97ff8604b840caae86e257cfa65fc1051cfe9d5fb68348615f11aa
79a843b15114d3d6b50ef1f6233af14aa4c023459a01b775b7e740ddf43f6eea
14396b7f11bff744b29b018378cb72925a33039ed4ed804f2b2e63df2ea1f66e
d04dec6c2e93482e3d947f0425ea65db956a66509417bf84da357e1b46634978
ac00251b8ba5b7bd219bb23bb5134a11f1215d19aaa0915e5a00d7906906b19a
24203f6ff9c3a37b83435aba2835c30d59a502a2238d5ee988d06a5042e23b19
e6a0d5ac9e01aeda5e4bec59609b301463398d59583ccb1ad75ff0af4c8a869b
09bdb86a043b73746143996be0350c86acb2a785fdd2b24e1754429d3ced32d4
c2603fdcd24aba4629f3a8e3822f8c8ca84a97c89f163e05f9f5e1492da81036
9fd26cbae8d741263a304f7532107d61d6e78b91a1e551dc2822131dc70eddc0
4e8a45e3ed0ef2d55f13edfc4d88fe163b580c4041a4e572497280d2cb817d02
3d3106d56edd0d99fb92516b4ab21f27972e104477204343c5f365aa604650ef
8bf8b980381fd607ec9065bfbcd572973770ee77c815354a35455c10651516d5
893c5f1c39d9fc4e2922b4b3f0d14e8d7e60ebcb8c64a32a7aa711c8a13cf37f
b9f3f20c8de3b6702aa0c756ea2eb8fa2acb839343a724896e83acb959773f30
URLs
https://filetransfer.io/data-package/k5nqhVxo/download
https://onedrive.live.com/download?resid=756F7ECDAED8D6C2%21137&authkey=!AHWDrx8t5S_OtFM
https://onedrive.live.com/download?resid=6A0026D89B929809%21153&authkey=!ALwLgvwp-hyVc0E
https://onedrive.live.com/download?resid=FDB0512DE793B32E%21109&authkey=!AIL5zeXo61PWNC4
https://onedrive.live.com/download?resid=F4CF4C394DBD52E0%21139&authkey=!ACGzNmetP4Zlrq4
https://onedrive.live.com/download?resid=D2FF5C6240820574%21647&authkey=!AOeBI7Le3uiaE-4
https://onedrive.live.com/download?resid=3346993E21C5BFE4%21131&authkey=!ACZCJnivkgF54LY
https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21345&authkey=!AE1-sfrjHk6wP1E
https://almostaqbal1-my.sharepoint.com/:u:/g/personal/shuling_mostaqbl_ae/ERgnfWnc1QFLtO9plWtPIhUBmna1tEopxN1knyKPHPqqjw
https://onedrive.live.com/download?resid=8950D94F9949F870%213431&authkey=!AKRPTP1DQ7NJI0s
https://onedrive.live.com/download?resid=CF486ED8AAB9BD10%21182&authkey=!AEmimozB6TC4R9k
https://onedrive.live.com/download?resid=31BDC6BCA3597F9E%21346&authkey=!AMtteHwb_z6dqGk
https://onedrive.live.com/download?resid=CF486ED8AAB9BD10%21184&authkey=!ANvNRHv64wRibto
https://onedrive.live.com/download?resid=653A5056738F1A02%21173&authkey=!ANQZu5-3y4oDV40
https://onedrive.live.com/download?resid=F08683D008D16CDC%21150&authkey=!AH54AtLMXXqLNWU
https://onedrive.live.com/download?resid=D2FF5C6240820574%21644&authkey=!ABWxQodVcht-CC4
https://onedrive.live.com/download?resid=244B6BE3FBA42308%21108&authkey=!AM0eFv81GIYrvzQ
https://onedrive.live.com/download?resid=653A5056738F1A02%21155&authkey=!APuaQcsKeVF0A98
https://onedrive.live.com/download?resid=F4CF4C394DBD52E0%21127&authkey=!APwe9eBiPEB5SbM
https://onedrive.live.com/download?resid=D2FF5C6240820574%21642&authkey=!AClFu6VxVTkPKxA
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 867
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 333
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 315
comments 0

What is DBatLoader malware?

DBatLoader is a loader written in Delphi that has been in extensive use among attackers since 2020. One of the key features of the malware is its reliance on legitimate cloud-based platforms such as Discord for hosting its payloads. DBatLoader has been involved in numerous campaigns and leveraged to deploy stealers, trojans, and other threats.

In most cases, DBatLoader manages to infect machines via multi-stage attacks. For instance, victims may receive an email attachment in the form of a PDF file. Upon opening the attachment, users may be prompted to click on a seemingly genuine button embedded with a malicious link. Clicking this link will initiate the download of a Windows Cabinet file, which, in turn, will trigger the installation of DBatLoader on the unsuspecting user's computer.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the DBatLoader malicious software

DBatLoader’s sole purpose is to distribute other malware on the devices it manages to infect. To do this, the developers behind DBatLoader have equipped their malicious software with several advanced capabilities.

For example, DBatLoader can avoid User Account Control (UAC) to gain elevated privileges. It does this by exploiting the mock folder vulnerability. In Windows, executables launched from certain system directories can auto-elevate. DBatLoader exploits this by creating a mock folder with the same name as a trusted location, such as "C:\Windows\System32 ".

On top of that, DBatLoader copies a legitimate process to this fake folder and then injects it with its malicious DLL that allows the payload downloaded by DBatLoader to execute freely without any security notifications, achieving sustained persistence.

Another common vulnerability abused by DBatLoader in previous attacks was CVE-2018-0798, an exploit targeting Equation Editor in Microsoft Office. The malware has also been observed to utilize steganography.

As mentioned, DBatLoader is usually configured to pull malicious payloads from servers of popular cloud storage services, including Microsoft OneDrive and Google Drive. Some of the notable examples of malware dropped by DBatLoader are Formbook, Warzone, and Remcos.

Execution process of DBatLoader

In order to detect DBatLoader, it is vital to analyze the latest samples of this malware and collect up-to-date information on it. To this end, we can use ANY.RUN, a malware analysis sandbox that lets us quickly analyze any suspicious file or link to spot threats.

Let’s upload a sample of DBatLoader to ANY.RUN and study its behavior.

In this task, DBatLoader was distributed as an executable file with a name mimicking the title of a document, attempting to trick users into opening the file and executing the malicious code. Upon execution, DBatLoader downloads and injects the Formbook malware into the Control and Explorer system processes, enabling its malicious activity.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

DBatLoader process tree shown in ANY.RUN DBatLoader's process tree demonstrated in ANY.RUN

In addition, this loader can be used in more sophisticated attacks, such as exploiting vulnerabilities to penetrate the system. These can be familiar vulnerabilities like CVE-2017-11882, as well as lesser known ones. On top of that, DBatLoader can also make use of system utilities in its attacks. In this task, a whole arsenal of system utilities is actively used, such as cmd, ping, and xcopy, including for the purpose of lateral movement. Eventually, DBatLoader drops Remcos that instantly begins its operation.

Distribution methods of the DBatLoader malware

Phishing campaigns constitute the most common vector of attack involving DBatLoader. Emails sent by the operators of the malware target different organizations and are masqueraded as genuine messages. In many cases, criminals even use legitimate email addresses they manage to hijack or gain access to.

The subject of such emails concerns different business-related matters, such as payments and other arrangements. For example, attackers may send fake invoices as Microsoft Office or PDF files. These files usually contain a link that, once clicked, can trigger the infection leading to DBatLoader being dropped on the computer and the eventual deployment of the final payload.

Conclusion

DBatLoader remains an active threat commonly used by criminals in their attacks on various types of organizations. To keep your infrastructure safe, it is essential that you have strong security measures in place, especially when it comes to software for detecting and inspecting threats.

Use the ANY.RUN sandbox as a reliable tool for analyzing emails you receive to safely determine if they pose any danger. ANY.RUN’s interactive cloud environment makes it easy to investigate the most advanced phishing campaigns and uncover multi-stage attacks in minutes. The service provides you with convenient text reports containing all the relevant information on the files and links you submit, including fresh IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy