File name:

d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041

Full analysis: https://app.any.run/tasks/a4f34ba5-d61f-4475-91cb-f5a324decaa5
Verdict: Malicious activity
Threats:

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 11:53:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
dbatloader
fileshare
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

A6F405F65DB811AFBDAF2A231459A17D

SHA1:

D5F83559A78FE097C8430F02CE2F1BF939BD76CD

SHA256:

D8E06A78761104458CA53892474BB695FE6F3D5D92333A1D81F0D11D60ED2041

SSDEEP:

98304:ONWRcKTXya76VxpNND3Fob2CqL0QTdKwk70KXGrwPEX/PXl+pWZ+pW2D9vEZa8mh:ssPAR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DBATLOADER has been detected (YARA)

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6184)
      • cmd.exe (PID: 5680)

    • Changes Windows Defender settings

      • cmd.exe (PID: 5680)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)

    • Process drops legitimate windows executable

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)

    • Executing commands from a ".bat" file

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)
      • easinvoker.exe (PID: 6700)

    • Executable content was dropped or overwritten

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)
      • xcopy.exe (PID: 5064)
      • xcopy.exe (PID: 6488)

    • Starts CMD.EXE for commands execution

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)
      • cmd.exe (PID: 1568)
      • easinvoker.exe (PID: 6700)
      • cmd.exe (PID: 6184)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 1568)

    • Application launched itself

      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 6184)

    • Created directory related to system

      • cmd.exe (PID: 2984)
      • cmd.exe (PID: 856)

    • Process copies executable file

      • cmd.exe (PID: 1568)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 1568)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 5680)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5680)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 5680)

    • Connects to unusual port

      • SndVol.exe (PID: 5384)

  • INFO

    • Reads the computer name

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)

    • Checks supported languages

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)

    • Compiled with Borland Delphi (YARA)

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)

    • The sample compiled with english language support

      • d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe (PID: 6668)
      • xcopy.exe (PID: 5064)

    • Creates a new folder

      • cmd.exe (PID: 2984)
      • cmd.exe (PID: 856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DBatLoader

(PID) Process(6668) d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe
C2 (1)https://onedrive.live.com/download?resid=4949CD367CC71D79%21805&authkey=!AMSMUgw79SjTIWc
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (31.9)
.scr | Windows screen saver (29.4)
.dll | Win32 Dynamic Link Library (generic) (14.8)
.exe | Win32 Executable (generic) (10.1)
.exe | Win16/32 Executable Delphi generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 512000
InitializedDataSize: 1363968
UninitializedDataSize: -
EntryPoint: 0x7dea4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
24
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #DBATLOADER d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs xcopy.exe cmd.exe no specs xcopy.exe cmd.exe no specs xcopy.exe no specs easinvoker.exe no specs easinvoker.exe no specs easinvoker.exe cmd.exe no specs conhost.exe no specs ping.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs sndvol.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
856cmd.exe /c mkdir "\\?\C:\Windows \System32"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1020"C:\Windows \System32\easinvoker.exe" C:\Windows \System32\easinvoker.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exchange ActiveSync Invoker
Exit code:
3221226540
Version:
6.3.9600.17415 (winblue_r4.141028-1500)
Modules
Images
c:\windows \system32\easinvoker.exe
c:\windows\system32\ntdll.dll
1568C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\Libraries\LqibcptlO.bat" "C:\Windows\SysWOW64\cmd.exed8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2984cmd.exe /c mkdir "\\?\C:\Windows " C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3888ping 127.0.0.1 -n 6 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4152powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4268"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4448cmd.exe /c ECHO FC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4696"C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exchange ActiveSync Invoker
Exit code:
3221226540
Version:
6.3.9600.17415 (winblue_r4.141028-1500)
Modules
Images
c:\windows \system32\easinvoker.exe
c:\windows\system32\ntdll.dll
Total events
7 057
Read events
7 053
Write events
4
Delete events
0

Modification events

(PID) Process:(6668) d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Lqibcptl
Value:
C:\Users\Public\Lqibcptl.url
(PID) Process:(5384) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-17YJIC
Operation:writeName:exepath
Value:
0603A3E8CB210B727EBFB367D15DB6E41C0AE28179EE7C9B73D7C402EFFA55E7E27264F2ECE50D3198BA57BAEF3868B0481A613AA76FB84355BD42BC28F7
(PID) Process:(5384) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-17YJIC
Operation:writeName:licence
Value:
30F2AFED03CCBCC2D68B251D04595EFF
(PID) Process:(5384) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-17YJIC
Operation:writeName:time
Value:
Executable files
5
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6668d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exeC:\Users\Public\Libraries\Lqibcptl.PIFexecutable
MD5:A6F405F65DB811AFBDAF2A231459A17D
SHA256:D8E06A78761104458CA53892474BB695FE6F3D5D92333A1D81F0D11D60ED2041
6668d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exeC:\Users\Public\Libraries\Nulltext
MD5:30FB76AEB44DBCC2FEF88AB066D55AC6
SHA256:E2BB232CAC786F7284BB237D193407E94F32EE0FBF64D27D0AE8B1642DE44923
6668d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exeC:\Users\Public\Libraries\netutils.dllexecutable
MD5:8C526AF9678ADD1072D31E631C0FDB2C
SHA256:515724FDDBC390DB5138B911646F9F88F15595F51ECA5EC58C409DEB8FC1B71A
5064xcopy.exeC:\Windows \System32\easinvoker.exeexecutable
MD5:231CE1E1D7D98B44371FFFF407D68B59
SHA256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
4152powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF117656.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
4152powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:507D82335C48DBB021454CFF21F15128
SHA256:D376B401E02ECF9A8E837900DF9E303A11EC6665087A1D74796B14332C7DCD74
6824xcopy.exeC:\Windows \System32\KDECO.battext
MD5:7E5FBD29557A68383DFB34E696964E93
SHA256:4E55B1BBE2E0E099592AC57A747FA8D4EF67409901D6C64323A1B73D50E5DE67
4152powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YKMQEY26YKUBAAM9JY8K.tempbinary
MD5:507D82335C48DBB021454CFF21F15128
SHA256:D376B401E02ECF9A8E837900DF9E303A11EC6665087A1D74796B14332C7DCD74
5384SndVol.exeC:\ProgramData\babaa\logs.datbinary
MD5:03AF14D22B27111AB002D17F49F4028A
SHA256:D26F488C5A8C9CD8AF9FC05E5223F3109165AA35D571C14EFBA4B77EC1EABAAE
4152powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ic014i10.fgb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
37
DNS requests
18
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2852
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2852
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6404
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.11
  • 23.216.77.7
  • 23.216.77.15
  • 23.216.77.42
  • 23.216.77.18
  • 23.216.77.10
  • 23.216.77.19
  • 23.216.77.38
  • 23.216.77.12
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.14
  • 20.190.160.130
  • 40.126.32.133
  • 20.190.160.64
  • 20.190.160.131
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
onedrive.live.com
  • 13.107.139.11
  • 13.107.137.11
whitelisted

Threats

PID
Process
Class
Message
6668
d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041.exe
Not Suspicious Traffic
INFO [ANY.RUN] Downloading from a file sharing service is observed
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d8e06a78761104458ca53892474bb695fe6f3d5d92333a1d81f0d11d60ed2041