Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

DBatLoader

67
Global rank
41 infographic chevron month
Month rank
48 infographic chevron week
Week rank
0
IOCs

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Loader
Type
Unknown
Origin
1 June, 2020
First seen
1 September, 2025
Last seen

How to analyze DBatLoader with ANY.RUN

Type
Unknown
Origin
1 June, 2020
First seen
1 September, 2025
Last seen

IOCs

IP addresses
94.154.35.25
100.42.176.116
103.91.190.180
20.206.228.177
20.252.43.59
40.74.95.186
Domains
swamfoxinnc.com
setimetntalatsuirity.ddnsfree.com
unilateralcospilino.duckdns.org
willanime.com
cremation-services-98621.bond
cybertechglobalai.com
chronotech.online
bottles2bags.com
druk.site
chatlhh5.com
assabmould.net
data-analytics-78756.bond
de-guru.com
cnwsjd.cfd
dingshenghr.net
8363k.vip
aeroportlogistics.com
601234.net
appeal-request-review.com
ecodfairs.top
URLs
https://onedrive.live.com/download?resid=102EE6226FBFD436%21188&authkey=!ADz_JfnmOU9-zo0
https://onedrive.live.com/download?resid=BFF763635630EB0A%21108&authkey=!AG3F7If7_S5b7is
https://onedrive.live.com/download?resid=D3673E68E5EC9158%211035&authkey=!AFDHJ0ysa4jqMNg
https://onedrive.live.com/download?resid=D2FF5C6240820574%21646&authkey=!AISw4KqBIO6TgGE
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%211161&authkey=AOgQof0tyWnKNoA
https://drive.google.com/uc?export=download&id=17zI5dj94G2TBdkfJGgtbt_3GrZS3oJFR
https://aarzoomarine.com/wp-content/253_Kqxdlqydhpt
https://1021.filemail.com/api/file/get
https://onedrive.live.com/download?resid=F2DC8284E0A31E9E%21191&authkey=!AMs9a0Jkay0zupc
https://onedrive.live.com/download?resid=E0CF7F9E6AAF27EF%211698&authkey=!AP2ndiARY9jfQNI
https://morientlines.com/xerofileupshsgdydpdfseudidofndhehuplosdsdocumentghy/Scxozmyplhmqutylctxlkglsugzstqx
https://2012.filemail.com/api/file/get
https://onedrive.live.com/download?resid=80A2C2010B1BCE07%211238&authkey=!AKCIqpe5wN0S2p0
https://onedrive.live.com/download?resid=38773C188FECDED2%21107&authkey=!APdTZ0yd8fEkIVs
https://onedrive.live.com/download?resid=8B41338C16482EC%21119&authkey=!AM1EpmNihNYEsQs
https://graffae-my.sharepoint.com/:u:/g/personal/estimator_graff_ae/EXU3ymcTlx9HkiSUJwzwH6gBi8hbq87jnAmkgUUdytHBOQ
https://onedrive.live.com/download?resid=BAF30C9243AC3050%21113&authkey=!AL1F5Ls5tRUL_Zc
https://onedrive.live.com/download?resid=FDB0512DE793B32E%21201&authkey=!AKqy7NQ0hsusk7U
https://onedrive.live.com/download?resid=849ABDB14CA5CEC3%21268&authkey=!AGkSae3yLjJ6J50
https://balkancelikdovme.com/work/Elpuxpkilck
Last Seen at
Last Seen at

Recent blog posts

post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 748
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 1864
comments 0
post image
How to Enrich IOCs with Actionable Threat Con...
watchers 1196
comments 0

What is DBatLoader malware?

DBatLoader is a loader written in Delphi that has been in extensive use among attackers since 2020. One of the key features of the malware is its reliance on legitimate cloud-based platforms such as Discord for hosting its payloads. DBatLoader has been involved in numerous campaigns and leveraged to deploy stealers, trojans, and other threats.

In most cases, DBatLoader manages to infect machines via multi-stage attacks. For instance, victims may receive an email attachment in the form of a PDF file. Upon opening the attachment, users may be prompted to click on a seemingly genuine button embedded with a malicious link. Clicking this link will initiate the download of a Windows Cabinet file, which, in turn, will trigger the installation of DBatLoader on the unsuspecting user's computer.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the DBatLoader malicious software

DBatLoader’s sole purpose is to distribute other malware on the devices it manages to infect. To do this, the developers behind DBatLoader have equipped their malicious software with several advanced capabilities.

For example, DBatLoader can avoid User Account Control (UAC) to gain elevated privileges. It does this by exploiting the mock folder vulnerability. In Windows, executables launched from certain system directories can auto-elevate. DBatLoader exploits this by creating a mock folder with the same name as a trusted location, such as "C:\Windows\System32 ".

On top of that, DBatLoader copies a legitimate process to this fake folder and then injects it with its malicious DLL that allows the payload downloaded by DBatLoader to execute freely without any security notifications, achieving sustained persistence.

Another common vulnerability abused by DBatLoader in previous attacks was CVE-2018-0798, an exploit targeting Equation Editor in Microsoft Office. The malware has also been observed to utilize steganography.

As mentioned, DBatLoader is usually configured to pull malicious payloads from servers of popular cloud storage services, including Microsoft OneDrive and Google Drive. Some of the notable examples of malware dropped by DBatLoader are Formbook, Warzone, and Remcos.

Execution process of DBatLoader

In order to detect DBatLoader, it is vital to analyze the latest samples of this malware and collect up-to-date information on it. To this end, we can use ANY.RUN, a malware analysis sandbox that lets us quickly analyze any suspicious file or link to spot threats.

Let’s upload a sample of DBatLoader to ANY.RUN and study its behavior.

In this task, DBatLoader was distributed as an executable file with a name mimicking the title of a document, attempting to trick users into opening the file and executing the malicious code. Upon execution, DBatLoader downloads and injects the Formbook malware into the Control and Explorer system processes, enabling its malicious activity.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

DBatLoader process tree shown in ANY.RUN DBatLoader's process tree demonstrated in ANY.RUN

In addition, this loader can be used in more sophisticated attacks, such as exploiting vulnerabilities to penetrate the system. These can be familiar vulnerabilities like CVE-2017-11882, as well as lesser known ones. On top of that, DBatLoader can also make use of system utilities in its attacks. In this task, a whole arsenal of system utilities is actively used, such as cmd, ping, and xcopy, including for the purpose of lateral movement. Eventually, DBatLoader drops Remcos that instantly begins its operation.

Distribution methods of the DBatLoader malware

Phishing campaigns constitute the most common vector of attack involving DBatLoader. Emails sent by the operators of the malware target different organizations and are masqueraded as genuine messages. In many cases, criminals even use legitimate email addresses they manage to hijack or gain access to.

The subject of such emails concerns different business-related matters, such as payments and other arrangements. For example, attackers may send fake invoices as Microsoft Office or PDF files. These files usually contain a link that, once clicked, can trigger the infection leading to DBatLoader being dropped on the computer and the eventual deployment of the final payload.

Conclusion

DBatLoader remains an active threat commonly used by criminals in their attacks on various types of organizations. To keep your infrastructure safe, it is essential that you have strong security measures in place, especially when it comes to software for detecting and inspecting threats.

Use the ANY.RUN sandbox as a reliable tool for analyzing emails you receive to safely determine if they pose any danger. ANY.RUN’s interactive cloud environment makes it easy to investigate the most advanced phishing campaigns and uncover multi-stage attacks in minutes. The service provides you with convenient text reports containing all the relevant information on the files and links you submit, including fresh IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Maze screenshot
Maze
maze ransomware
Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.
Read More
Fog Ransomware screenshot
Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More