| File name: | repeat order __.eml |
| Full analysis: | https://app.any.run/tasks/cae059f0-73ce-4a26-bd29-5374d1c93dbb |
| Verdict: | Malicious activity |
| Threats: | DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment. |
| Analysis date: | February 21, 2024, 11:39:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | message/rfc822 |
| File info: | RFC 822 mail, ASCII text |
| MD5: | 7BABE535E3D576BF772B55147798967D |
| SHA1: | 8CFA090D810FCCAF4DB76FB59BA226B49D962A7A |
| SHA256: | 1731EB577BE4D027671EDBDF5F80DE6D8A36D8820825D20227E46004B2C521F3 |
| SSDEEP: | 49152:OwRNPe1zHIIRfxyJSq+jqJHK1jcZemTp9YISy7iIMMgK:F |
MALICIOUS
Unusual execution from MS Outlook
- OUTLOOK.EXE (PID: 2472)
DBATLOADER has been detected (YARA)
- x.exe (PID: 1496)
Drops the executable file immediately after the start
- x.exe (PID: 1496)
Changes the autorun value in the registry
- x.exe (PID: 1496)
Actions looks like stealing of personal data
- dwm.exe (PID: 2788)
FORMBOOK has been detected (YARA)
- dwm.exe (PID: 2788)
SUSPICIOUS
The executable file from the user directory is run by the CMD process
- x.exe (PID: 1496)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 116)
- x.exe (PID: 1496)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 116)
- cmd.exe (PID: 3516)
- x.exe (PID: 1496)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 116)
Executable content was dropped or overwritten
- extrac32.exe (PID: 3180)
- x.exe (PID: 1496)
- xcopy.exe (PID: 3508)
- xcopy.exe (PID: 2596)
Reads the Internet Settings
- x.exe (PID: 1496)
- dwm.exe (PID: 2788)
Reads settings of System Certificates
- x.exe (PID: 1496)
Likely accesses (executes) a file from the Public directory
- cmd.exe (PID: 3516)
Application launched itself
- cmd.exe (PID: 3516)
Process drops legitimate windows executable
- xcopy.exe (PID: 3508)
- x.exe (PID: 1496)
Drops a file with a rarely used extension (PIF)
- x.exe (PID: 1496)
Drops a system driver (possible attempt to evade defenses)
- x.exe (PID: 1496)
Loads DLL from Mozilla Firefox
- dwm.exe (PID: 2788)
INFO
Checks supported languages
- x.exe (PID: 1496)
Create files in a temporary directory
- extrac32.exe (PID: 3180)
The process uses the downloaded file
- OUTLOOK.EXE (PID: 2472)
- WinRAR.exe (PID: 116)
Drops the executable file immediately after the start
- extrac32.exe (PID: 3180)
- xcopy.exe (PID: 3508)
- xcopy.exe (PID: 2596)
Reads the computer name
- x.exe (PID: 1496)
Checks proxy server information
- x.exe (PID: 1496)
Reads the software policy settings
- x.exe (PID: 1496)
Reads the machine GUID from the registry
- x.exe (PID: 1496)
Manual execution by a user
- autofmt.exe (PID: 2320)
- dwm.exe (PID: 2788)
Creates files or folders in the user directory
- dwm.exe (PID: 2788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
DBatLoader
(PID) Process(1496) x.exe
C2 (1)https://onedrive.live.com/download?resid=653A5056738F1A02%21173&authkey=!ANQZu5-3y4oDV40
Formbook
(PID) Process(2788) dwm.exe
C2www.938579.top/fd05/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)rancangrumah.com
liposuction-54947.bond
9smp.studio
tranquilos.club
slknb9x4.shop
huidvh.xyz
59638.bet
611422.cc
gurdwarakaramsar.com
level42data.com
remedydx.com
aagmal.pro
aicertifiedpro.com
reeoumcuoarriron.shop
syrianphotographers.com
findasideproject.com
frontierconnects.co
cliphothomnay.top
vbywehjri3.top
hydrogenwaterbottles.co
beauty-bloom.online
flowautomations.info
odakegitimaraclari.xyz
wtevans.com
szkrp.com
vellagroup.dev
eyelearnfrommasters.com
weeklythepaper.com
meineinfacheslernbuch.com
6224narlingtonblvd.com
mcchoi.art
dreamcarsgiveaway.com
singlesmatchmaker.com
fi11cc65.com
myvapbnc.top
greattechinc.com
elevatece.co
dkswl.uno
lindellbank.top
grandmarinaluxuryresidences.com
sulekirkguzellik.net
4second-life.info
realestaterunnerwyo.com
veripost.net
krypto.uno
angelhues.store
avagedin.site
vadym-shapran.com
lovesummitreplay.com
lvdco.com
primeroch.com
loadsong.site
wozel.vip
kenielacouture.com
transmigrationholdings.com
thenemolabs.com
personal-loans-11122.bond
selochrono.com
lemonadeux.com
hiv0851.com
paternina100jahre.com
screehab.com
procyoninnovations.cloud
coachmindchange.com
TRiD
| .eml | | | E-Mail message (Var. 5) (100) |
|---|
Total processes
62
Monitored processes
20
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\I1Y32XDS\new_product_order.tar" | C:\Program Files\WinRAR\WinRAR.exe | — | OUTLOOK.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 568 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | dwm.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 115.0.2 Modules
| |||||||||||||||
| 1496 | "C:\Users\admin\AppData\Local\Temp\x.exe" | C:\Users\admin\AppData\Local\Temp\x.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
DBatLoader(PID) Process(1496) x.exe C2 (1)https://onedrive.live.com/download?resid=653A5056738F1A02%21173&authkey=!ANQZu5-3y4oDV40 | |||||||||||||||
| 1644 | xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y | C:\Windows\System32\xcopy.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2156 | C:\Windows\system32\cmd.exe /S /D /c" ECHO F" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2320 | "C:\Windows\System32\autofmt.exe" | C:\Windows\System32\autofmt.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto File System Format Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2372 | cmd /c mkdir "\\?\C:\Windows " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2472 | "C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\repeat order __.eml" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 Modules
| |||||||||||||||
| 2488 | C:\Windows\System32\SndVol.exe | C:\Windows\System32\SndVol.exe | — | x.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Volume Mixer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2564 | C:\Windows\system32\cmd.exe /S /D /c" ECHO F" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
18 293
Read events
17 663
Write events
582
Delete events
48
Modification events
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: Off | |||
| (PID) Process: | (2472) OUTLOOK.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1055 |
Value: Off | |||
Executable files
7
Suspicious files
6
Text files
10
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRF349.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2472 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\tmpF473.tmp | binary | |
MD5:0036340210290DF500EB75E1E80F6B63 | SHA256:6B046E077850A86303CBB3AAF8F02C5306864F479B6D85F3530457D7F8144771 | |||
| 2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\I1Y32XDS\new_product_order (2).tar | compressed | |
MD5:D299AC1C37BB9D94B86DDF5439074E19 | SHA256:A1383E7C1792265D27F29314F059C9D7E04CA8621177F9E6263D7C5B7238B292 | |||
| 2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\I1Y32XDS\new_product_order (2).tar:Zone.Identifier:$DATA | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 | |||
| 2472 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inf | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
| 116 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa116.5034\new_product_order.bat | compressed | |
MD5:ACB71C773AED6DB1807E5B4DA039203C | SHA256:28576349387CCF5E3022123DE44E0C7F74010459DECCBAB2EB60FC0C64AF117C | |||
| 3180 | extrac32.exe | C:\Users\admin\AppData\Local\Temp\x.exe | executable | |
MD5:EC585EF88CCD79588D24B84DE9E30F64 | SHA256:089359771A9653653885EE4321BAFBE6EBBE443835118D79F6F33BD56E1B6226 | |||
| 1496 | x.exe | C:\Users\Public\Libraries\ZepyeoyqO.bat | text | |
MD5:0D0D24B46D4BB0E4962595D455020D48 | SHA256:F46E0CC2C119A32DD87EDF97BFC73D985EE97D2C9DC00274B6B20D641E29DEEA | |||
| 1496 | x.exe | C:\Users\Public\Libraries\truesight.sys | executable | |
MD5:F53FA44C7B591A2BE105344790543369 | SHA256:BFC2EF3B404294FE2FA05A8B71C7F786B58519175B7202A69FE30F45E607FF1C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2472 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1496 | x.exe | 13.107.139.11:443 | onedrive.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
1496 | x.exe | 13.107.42.12:443 | zavo9a.sn.files.1drv.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |
onedrive.live.com |
| shared |
zavo9a.sn.files.1drv.com |
| unknown |