BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DBatLoader

49
Global rank
23 infographic chevron month
Month rank
21 infographic chevron week
Week rank
1382
IOCs

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Loader
Type
Unknown
Origin
1 June, 2020
First seen
22 May, 2024
Last seen

How to analyze DBatLoader with ANY.RUN

Type
Unknown
Origin
1 June, 2020
First seen
22 May, 2024
Last seen

IOCs

IP addresses
20.252.43.59
172.232.172.123
20.206.228.177
40.74.95.186
Hashes
3659096c23b68f66ca65f00e41c47a3b0642b48240cd8b92143f8b6dc90ead82
b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
85d5d8fee53df94ccc480e1ad9cdc75f47f4db122d67ec5d4d95f93a551949d8
ac2fe475a33e913c4173ad6af1fcd8acd6e51fd66ac6c65c48db29d680521171
ac4fce0e72e52a363a1cc5d5c425a2add422321772a84beb1d339b0bef76287a
05916ba2b91c37d04c8e458225b754913b72c6b5dfccfa4914fa643eb9d07e95
abe4437fc06eeb26b481f09ea9c9bc6ff1213d9254a4dbe50a2d7db0b59a5ac2
361c7c3f4522c094f69509cf4d3501440e3eae47dbe7436e3260130f1d8c7e0d
93dcd7125d7fa98ec24b3a79fe0138c933bc95fec53dd3da39ad07ecea548df5
3feb7b95494db81ea47763a9d772e6eb8c8b2bfdf5aeec3a9282c203482839bc
91c7ffd82c5a300a24f5767be8270e6a29467f50db3ac21c80bcba93ce127327
43ff884128b4cee041776015abb9692e42db2cbf8b5a4364859d346c809ec5cd
36ea5e98f9aa4987174b4edb33c937f9091f1e06fd370f7f8e66da700700539f
6362e9238ae682805b33d2503122e845994d69e1eb51f981cde99b04572cc85c
5ccbfc6564f960202e0e34a71d067f4808fc644151323961b0300766f495996b
2b19bb425c2b5cca7afd379ef516caa667c6b9b06147af3528c8d3166d07c631
531cba7a93bf9fb54f40b723848a5ca025f48afddb2d2550c5bfb410d22e45e9
1869006498e4d84feca842aa4cbe77ded86e5c8ef3ef97e2621079be3ad40a57
03fcef266ae1dad0fd0441376ed2a2defd8621627681789c719b9d9cc4278cda
e399bdc24cb76e8ebdfef7bba94b18031fe0b4fd3664fcad763e77b1e4b2da86
Domains
myumysmeetr.ddns.net
bbhmeetre1ms.freeddns.org
mysweeterbk.ddns.net
meetre1ms.freeddns.org
unilateralcospilino.duckdns.org
setimetntalatsuirity.ddnsfree.com
willanime.com
cybertechglobalai.com
cremation-services-98621.bond
chronotech.online
bottles2bags.com
data-analytics-78756.bond
de-guru.com
cnwsjd.cfd
dingshenghr.net
druk.site
chatlhh5.com
assabmould.net
8363k.vip
aeroportlogistics.com
URLs
http://baitalasma.com/255_Pzuhzgxzrfq
https://onedrive.live.com/download?resid=F0B00474923735E9%21107&authkey=!AC1EYVyMZoYGdi83
https://hosting.tempauto.ru/255_Fusgwewdxqx
https://onedrive.live.com/download?resid=BB56EEF50A3B985F%21233&authkey=!AIlQkZsq62t1AmQ
https://onedrive.live.com/download?resid=1F8C7ECD28951B19%21157&authkey=!APh_0e2G4FcIgbc
https://onedrive.live.com/download?resid=1F8C7ECD28951B19%21153&authkey=!ABY7xJgwj9eJrVc
https://onedrive.live.com/download?resid=3308193A1776EE8B%21118&authkey=!AD4O2sbDd2C1I_c
https://onedrive.live.com/download?resid=FDB0512DE793B32E%21195&authkey=!ADTG8fLqw4e3QPo
https://onedrive.live.com/download?cid=335B9F3856A17040&resid=335B9F3856A17040%21364&authkey=AFjsi8sH2D8M0qk
https://onedrive.live.com/download?resid=80966318EF0DC1DD%21375&authkey=!AFhKZXFY1D6tJJQ
http://baitalasma.com/255_Blmpvfffbxd
https://onedrive.live.com/download?resid=FDB0512DE793B32E%21201&authkey=!AKqy7NQ0hsusk7U
https://kamix.hu/255_Jraenquhwco
https://drive.google.com/uc?export=download&id=17oU8oYytI1akPiuIHIUd9KLqlDrKFCY3
https://drive.google.com/uc?export=download&id=1PG45sNB26j4dF-zusCC9_gbHV-BpxHw6
https://drive.google.com/uc?export=download&id=1_F5U1nd9cmh25WycEA26uaCrdwmT4bZN
https://onedrive.live.com/download?resid=BB56EEF50A3B985F%21232&authkey=!AAe5pmQ3xFheJSY
https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21193&authkey=!AK90JzWbz7zbCEg
https://onedrive.live.com/download?resid=6C9E771CEBB60AD%21165&authkey=!ACJnOvd-SiLbEmE
https://graffae-my.sharepoint.com/:u:/g/personal/estimator_graff_ae/EXU3ymcTlx9HkiSUJwzwH6gBi8hbq87jnAmkgUUdytHBOQ
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is DBatLoader malware?

DBatLoader is a loader written in Delphi that has been in extensive use among attackers since 2020. One of the key features of the malware is its reliance on legitimate cloud-based platforms such as Discord for hosting its payloads. DBatLoader has been involved in numerous campaigns and leveraged to deploy stealers, trojans, and other threats.

In most cases, DBatLoader manages to infect machines via multi-stage attacks. For instance, victims may receive an email attachment in the form of a PDF file. Upon opening the attachment, users may be prompted to click on a seemingly genuine button embedded with a malicious link. Clicking this link will initiate the download of a Windows Cabinet file, which, in turn, will trigger the installation of DBatLoader on the unsuspecting user's computer.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Technical details of the DBatLoader malicious software

DBatLoader’s sole purpose is to distribute other malware on the devices it manages to infect. To do this, the developers behind DBatLoader have equipped their malicious software with several advanced capabilities.

For example, DBatLoader can avoid User Account Control (UAC) to gain elevated privileges. It does this by exploiting the mock folder vulnerability. In Windows, executables launched from certain system directories can auto-elevate. DBatLoader exploits this by creating a mock folder with the same name as a trusted location, such as "C:\Windows\System32 ".

On top of that, DBatLoader copies a legitimate process to this fake folder and then injects it with its malicious DLL that allows the payload downloaded by DBatLoader to execute freely without any security notifications, achieving sustained persistence.

Another common vulnerability abused by DBatLoader in previous attacks was CVE-2018-0798, an exploit targeting Equation Editor in Microsoft Office. The malware has also been observed to utilize steganography.

As mentioned, DBatLoader is usually configured to pull malicious payloads from servers of popular cloud storage services, including Microsoft OneDrive and Google Drive. Some of the notable examples of malware dropped by DBatLoader are Formbook, Warzone, and Remcos.

Execution process of DBatLoader

In order to detect DBatLoader, it is vital to analyze the latest samples of this malware and collect up-to-date information on it. To this end, we can use ANY.RUN, a malware analysis sandbox that lets us quickly analyze any suspicious file or link to spot threats.

Let’s upload a sample of DBatLoader to ANY.RUN and study its behavior.

In this task, DBatLoader was distributed as an executable file with a name mimicking the title of a document, attempting to trick users into opening the file and executing the malicious code. Upon execution, DBatLoader downloads and injects the Formbook malware into the Control and Explorer system processes, enabling its malicious activity.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

DBatLoader process tree shown in ANY.RUN DBatLoader's process tree demonstrated in ANY.RUN

In addition, this loader can be used in more sophisticated attacks, such as exploiting vulnerabilities to penetrate the system. These can be familiar vulnerabilities like CVE-2017-11882, as well as lesser known ones. On top of that, DBatLoader can also make use of system utilities in its attacks. In this task, a whole arsenal of system utilities is actively used, such as cmd, ping, and xcopy, including for the purpose of lateral movement. Eventually, DBatLoader drops Remcos that instantly begins its operation.

Distribution methods of the DBatLoader malware

Phishing campaigns constitute the most common vector of attack involving DBatLoader. Emails sent by the operators of the malware target different organizations and are masqueraded as genuine messages. In many cases, criminals even use legitimate email addresses they manage to hijack or gain access to.

The subject of such emails concerns different business-related matters, such as payments and other arrangements. For example, attackers may send fake invoices as Microsoft Office or PDF files. These files usually contain a link that, once clicked, can trigger the infection leading to DBatLoader being dropped on the computer and the eventual deployment of the final payload.

Conclusion

DBatLoader remains an active threat commonly used by criminals in their attacks on various types of organizations. To keep your infrastructure safe, it is essential that you have strong security measures in place, especially when it comes to software for detecting and inspecting threats.

Use the ANY.RUN sandbox as a reliable tool for analyzing emails you receive to safely determine if they pose any danger. ANY.RUN’s interactive cloud environment makes it easy to investigate the most advanced phishing campaigns and uncover multi-stage attacks in minutes. The service provides you with convenient text reports containing all the relevant information on the files and links you submit, including fresh IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy