Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

DBatLoader

67
Global rank
45 infographic chevron month
Month rank
45 infographic chevron week
Week rank
0
IOCs

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Loader
Type
Unknown
Origin
1 June, 2020
First seen
23 September, 2025
Last seen

How to analyze DBatLoader with ANY.RUN

Type
Unknown
Origin
1 June, 2020
First seen
23 September, 2025
Last seen

IOCs

IP addresses
100.42.176.116
94.154.35.25
93.127.160.198
103.91.190.180
20.206.228.177
20.252.43.59
40.74.95.186
Hashes
e7cdc28faabe57fa9aa4cef22f130ab13bdc45842c244d4fd44030c27b56cdbf
12a6da87085c2249e4e5fc9a0f1f381e1fc723577d80fe80d6f905965bf56e89
f45307b5999dab601bb6371d4617cb7378d352e234f1df11b5ba41d779a90564
36467ab258014b5d37609f7c360167a3b949f23701b1bc608f71dbef4a3aa2fd
98cd6aa9cedc5d3274cd73ff6e1cb7cfa382bdb96e3380b6dcc92fa052c54fa3
ad5131dfaba269367d500cd343ccc1956434b4cb21c2fcd163545c433deded66
32638aedae80dbb34039811e9957d48bd5d2ea1fab784cd0734b86b7185716b3
1ba55bb7d2d33d7892669c2e96c351fe59ce60144429508d6251d5dcbfc5ff86
127e920304ce4f148d95d1b2522623262a85b804d682d33df89f1238eac1ffc9
eb66ae0428282ee90ca78a2f0d37e322cc682bd9dccb9c7e50bf53da117fd0a4
ec3f9c63a8fdb437a7867ee30abd53729164db5b2b06902f9e549ddf1e7becbf
c4da29704cf4292b61b9a7bebe9a0f1517b28fd9d3f23aa2144aeb05bdcacd48
f7c19fad7e83a28e8d2d9597e4e897ff930e41dc4abab0c20ba828b60b90db67
e08e4eb8aed0ba0a861e34391114375bdaf9e958f881819760edd0f09addcb04
3e8bbd563bf539b08acb62ff89b43353549e9d0aee0a32567eb42d7f0687e51c
1acecc1f245ab45378418be82fc87c3742529ded1d291c7dd08c04136b6be1fb
5713b67f81b494c23cde9b38b3216f504647a6e5a0297adc10bb08895e4ed01a
bda80c4c5d44d45684f6d1b7726a72f40f5a398304041bba78ab376cadac3fb4
b706a171ed0c9db2b82a3fb16390e8f2716bd256f79182fdd8a76291a1078a5e
d168a3b56994a97374be1c208e6e3aa01e1c512829ee4cceafceeeee1b5ddcc1
Domains
shee.ydns.eu
suzhuomate.com
wklasser.com
kbs-frb.cc
hbws.cc
swamfoxinnc.com
setimetntalatsuirity.ddnsfree.com
unilateralcospilino.duckdns.org
willanime.com
cybertechglobalai.com
cremation-services-98621.bond
chronotech.online
data-analytics-78756.bond
de-guru.com
cnwsjd.cfd
dingshenghr.net
bottles2bags.com
druk.site
chatlhh5.com
assabmould.net
URLs
https://strassenburgpharma.biz/E45244F6689E09567894658/Jhtxonoqgig
https://coinsupportbot.com/uploads/lettercountswrddocfilelinkasscoymncmkgledsasmhklimdbcnsadeakfileloadonedrivedocumentsuploadclouddownloadyoutubeversion/Kpothdszqlp
https://onedrive.live.com/download?cid=B51509A43B7B3567&resid=B51509A43B7B3567%21112&authkey=AIBmjf19F5oHXVc
http://ori.ydns.eu/file/Cntowalvdzw
https://onedrive.live.com/download?cid=5699A0DD0676E751&resid=5699A0DD0676E751%21172&authkey=AI8OOKeQc1XHTwQ
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%211330&authkey=AFPRF4JX8Ouzo1c
http://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%211328&authkey=ANvVyKtVxHTlp7o
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21977&authkey=AIPXdzjss90eEbs
https://tothproject.hu/datdata/starkjkjkjkfhgfhjkklkfjftahskopesbandsvdsabeos/Znklusegwni
https://onedrive.live.com/Download
https://onedrive.live.com/download?cid=4949CD367CC71D79&resid=4949CD367CC71D79%21533&authkey=AC2acDBnMljHpOA
http://www.web-captchamiosft.com/white/Xonzhxailhk
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%211129&authkey=AFBZESP0R92SHew
https://onedrive.live.com/download?cid=D3673E68E5EC9158&resid=D3673E68E5EC9158%21786&authkey=AHdumWjt41VoGNU
https://onedrive.live.com/download?cid=0B007F35B060D274&resid=B007F35B060D274%21120&authkey=AFRGEjZlnSNfazw
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%211316&authkey=AHNLzNL1uO4iWKg
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%211329&authkey=AIg8C8lbD0k0zaA
https://cdn.discordapp.com/attachments/1087991523691474987/1097818654420242543/Sepoqwiulxv
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%211352&authkey=AK30MQOOcFrr34U
https://onedrive.live.com/download?cid=26943FEBC022618F&resid=26943FEBC022618F%21251&authkey=AGGJQcekXki3TKg
Last Seen at
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 649
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 737
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4389
comments 0

What is DBatLoader malware?

DBatLoader is a loader written in Delphi that has been in extensive use among attackers since 2020. One of the key features of the malware is its reliance on legitimate cloud-based platforms such as Discord for hosting its payloads. DBatLoader has been involved in numerous campaigns and leveraged to deploy stealers, trojans, and other threats.

In most cases, DBatLoader manages to infect machines via multi-stage attacks. For instance, victims may receive an email attachment in the form of a PDF file. Upon opening the attachment, users may be prompted to click on a seemingly genuine button embedded with a malicious link. Clicking this link will initiate the download of a Windows Cabinet file, which, in turn, will trigger the installation of DBatLoader on the unsuspecting user's computer.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of the DBatLoader malicious software

DBatLoader’s sole purpose is to distribute other malware on the devices it manages to infect. To do this, the developers behind DBatLoader have equipped their malicious software with several advanced capabilities.

For example, DBatLoader can avoid User Account Control (UAC) to gain elevated privileges. It does this by exploiting the mock folder vulnerability. In Windows, executables launched from certain system directories can auto-elevate. DBatLoader exploits this by creating a mock folder with the same name as a trusted location, such as "C:\Windows\System32 ".

On top of that, DBatLoader copies a legitimate process to this fake folder and then injects it with its malicious DLL that allows the payload downloaded by DBatLoader to execute freely without any security notifications, achieving sustained persistence.

Another common vulnerability abused by DBatLoader in previous attacks was CVE-2018-0798, an exploit targeting Equation Editor in Microsoft Office. The malware has also been observed to utilize steganography.

As mentioned, DBatLoader is usually configured to pull malicious payloads from servers of popular cloud storage services, including Microsoft OneDrive and Google Drive. Some of the notable examples of malware dropped by DBatLoader are Formbook, Warzone, and Remcos.

Execution process of DBatLoader

In order to detect DBatLoader, it is vital to analyze the latest samples of this malware and collect up-to-date information on it. To this end, we can use ANY.RUN, a malware analysis sandbox that lets us quickly analyze any suspicious file or link to spot threats.

Let’s upload a sample of DBatLoader to ANY.RUN and study its behavior.

In this task, DBatLoader was distributed as an executable file with a name mimicking the title of a document, attempting to trick users into opening the file and executing the malicious code. Upon execution, DBatLoader downloads and injects the Formbook malware into the Control and Explorer system processes, enabling its malicious activity.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

DBatLoader process tree shown in ANY.RUN DBatLoader's process tree demonstrated in ANY.RUN

In addition, this loader can be used in more sophisticated attacks, such as exploiting vulnerabilities to penetrate the system. These can be familiar vulnerabilities like CVE-2017-11882, as well as lesser known ones. On top of that, DBatLoader can also make use of system utilities in its attacks. In this task, a whole arsenal of system utilities is actively used, such as cmd, ping, and xcopy, including for the purpose of lateral movement. Eventually, DBatLoader drops Remcos that instantly begins its operation.

Distribution methods of the DBatLoader malware

Phishing campaigns constitute the most common vector of attack involving DBatLoader. Emails sent by the operators of the malware target different organizations and are masqueraded as genuine messages. In many cases, criminals even use legitimate email addresses they manage to hijack or gain access to.

The subject of such emails concerns different business-related matters, such as payments and other arrangements. For example, attackers may send fake invoices as Microsoft Office or PDF files. These files usually contain a link that, once clicked, can trigger the infection leading to DBatLoader being dropped on the computer and the eventual deployment of the final payload.

Conclusion

DBatLoader remains an active threat commonly used by criminals in their attacks on various types of organizations. To keep your infrastructure safe, it is essential that you have strong security measures in place, especially when it comes to software for detecting and inspecting threats.

Use the ANY.RUN sandbox as a reliable tool for analyzing emails you receive to safely determine if they pose any danger. ANY.RUN’s interactive cloud environment makes it easy to investigate the most advanced phishing campaigns and uncover multi-stage attacks in minutes. The service provides you with convenient text reports containing all the relevant information on the files and links you submit, including fresh IOCs.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
BTMOB RAT screenshot
BTMOB RAT
btmob
BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More