English
English Indonesia Türkçe Deutsch Español Português Pусский Français Italiano Nederlands Polski العربية ไทย Tiếng Việt 繁體中文 简体中文 日本語 한국어

#dbatloader search results

anyrun_app's profile picture. Empowering businesses with proactive security solutions: Interactive Sandbox, TI Lookup and Feeds. Sign up: https://t.co/8hIX0Qh5ME
ANY.RUN
@anyrun_app
May 15

🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT. The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to…

anyrun_app's tweet image. 🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT. The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to…
1
43
111
51
8K
d4rksystem's profile picture. Threat Research @proofpoint | Author of "Evasive Malware" @nostarch | Talks about cybercrime, threat intel, and malware stuff.
Kyle Cucci
 @d4rksystem
Mar 28, 2024

Recent variants of #DBatLoader #malware allocate large semi-random regions of memory before dropping the payload, which can be problematic for sandboxes. It calculates the memory allocation size using QueryPerformanceCounter and GetTickCount which act as a seed for a random size.

d4rksystem's tweet image. Recent variants of #DBatLoader #malware allocate large semi-random regions of memory before dropping the payload, which can be problematic for sandboxes. It calculates the memory allocation size using QueryPerformanceCounter and GetTickCount which act as a seed for a random size.
d4rksystem's tweet image. Recent variants of #DBatLoader #malware allocate large semi-random regions of memory before dropping the payload, which can be problematic for sandboxes. It calculates the memory allocation size using QueryPerformanceCounter and GetTickCount which act as a seed for a random size.
1
8
19
4
2K
kienbigmummy's profile picture. Work hard in silence , let success make the noise.
m4n0w4r
 @kienbigmummy
May 16, 2023

📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.

kienbigmummy's tweet image. 📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.
kienbigmummy's tweet image. 📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.
kienbigmummy's tweet image. 📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.
0
13
50
6
6K
Tac_Mangusta's profile picture. recce cyber threat landscape
Mangusta
 @Tac_Mangusta
Jun 6, 2023

#dbatloader spread via mail "New Purchase Order" url > .pdf.img > .exe 🔗p://www.islamicbankbd.]org/document/PurchaseOrder52435374.pdf 🔥p://ecmtibbiclhazlar.]com/cyxjElXJ/205_Chilrcjtcqn Now stager and C2 seems disabled and redirect to RickRoll

Tac_Mangusta's tweet image. #dbatloader spread via mail "New Purchase Order" url > .pdf.img > .exe 🔗p://www.islamicbankbd.]org/document/PurchaseOrder52435374.pdf 🔥p://ecmtibbiclhazlar.]com/cyxjElXJ/205_Chilrcjtcqn Now stager and C2 seems disabled and redirect to RickRoll
Tac_Mangusta's tweet image. #dbatloader spread via mail "New Purchase Order" url > .pdf.img > .exe 🔗p://www.islamicbankbd.]org/document/PurchaseOrder52435374.pdf 🔥p://ecmtibbiclhazlar.]com/cyxjElXJ/205_Chilrcjtcqn Now stager and C2 seems disabled and redirect to RickRoll
1
4
18
1
3K
c_APT_ure's profile picture. #InfoSec professional, husband & father of two (in random order). #BlueTeam #DFIR #APT #CTI #RedTeaming #BSidesZH (RT/Likes ≠ endorsement) 👀➡️#MalwareChallenge
TomU | I'm still here... til the end 🕊️🇨🇭
 @c_APT_ure
Apr 3, 2024

And this one uploaded by TeamDreier (Thx) #DBatLoader -> #Remcos RAT bazaar.abuse.ch/sample/115bfc9… 240320920_240320920192580_PDF.cmd:68:-----BEGIN X509 CRL----- 240320920_240320920192580_PDF.cmd:52230:-----END X509 CRL----- joesandbox.com/analysis/14129…

c_APT_ure's tweet image. And this one uploaded by TeamDreier (Thx) #DBatLoader -> #Remcos RAT bazaar.abuse.ch/sample/115bfc9… 240320920_240320920192580_PDF.cmd:68:-----BEGIN X509 CRL----- 240320920_240320920192580_PDF.cmd:52230:-----END X509 CRL----- joesandbox.com/analysis/14129…
c_APT_ure's tweet image. And this one uploaded by TeamDreier (Thx) #DBatLoader -> #Remcos RAT bazaar.abuse.ch/sample/115bfc9… 240320920_240320920192580_PDF.cmd:68:-----BEGIN X509 CRL----- 240320920_240320920192580_PDF.cmd:52230:-----END X509 CRL----- joesandbox.com/analysis/14129…
1
2
3
2
396
skocherhan's profile picture. Digital nomad, exploring the cyber frontier.
ܛܔܔܔܛܔܛܔܛ
@skocherhan
May 27

32ba1ee78874a80a23a0d09427d52af6 05ef4ca659965c1d3faa58077b0f9943 #FormBook #ModiLoader #DBatLoader

skocherhan's tweet image. 32ba1ee78874a80a23a0d09427d52af6 05ef4ca659965c1d3faa58077b0f9943 #FormBook #ModiLoader #DBatLoader
skocherhan's tweet image. 32ba1ee78874a80a23a0d09427d52af6 05ef4ca659965c1d3faa58077b0f9943 #FormBook #ModiLoader #DBatLoader
marsomx_'s profile picture. 🇮🇹 | IT Engineer with Cyber Security passion | Malware Analysis | Reverse Engineering | CTI - views and opinions are solely my own -
Simplicio Sam L.
 @marsomx_
May 3

[4/4] drop url: 176.65.144[.23/ff/kkinng.txt sha256: 954b611a8e8163b42691ec83d4ff0077ef6f80505a434d03e04c9ae19494ea13 bazaar.abuse.ch/browse/tag/176…

0
0
2
0
337
0
0
1
0
210
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Jan 10

2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0

Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
0
43
112
30
9K
naumovax's profile picture. pt malicious network traffic researcher, speaker / this blog about new malware & interesting С2 communication & my work life
Kseniia \n
 @naumovax
Jun 24, 2024

#DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…

naumovax's tweet image. #DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…
naumovax's tweet image. #DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…
1
15
35
15
3K
c_APT_ure's profile picture. #InfoSec professional, husband & father of two (in random order). #BlueTeam #DFIR #APT #CTI #RedTeaming #BSidesZH (RT/Likes ≠ endorsement) 👀➡️#MalwareChallenge
TomU | I'm still here... til the end 🕊️🇨🇭
 @c_APT_ure
Jun 28, 2024

Jep, #DBatLoader and #Remcos RAT C2: severdops[.]ddns[.]net Has been used since 2021 😮 for many different RATs and stealers I would guess this could be #DESKTOPgroup 🤔

c_APT_ure's tweet image. Jep, #DBatLoader and #Remcos RAT C2: severdops[.]ddns[.]net Has been used since 2021 😮 for many different RATs and stealers I would guess this could be #DESKTOPgroup 🤔
c_APT_ure's tweet image. Jep, #DBatLoader and #Remcos RAT C2: severdops[.]ddns[.]net Has been used since 2021 😮 for many different RATs and stealers I would guess this could be #DESKTOPgroup 🤔
2
0
1
1
377
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
May 21

"PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa

JAMESWT_WT's tweet image. "PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa
JAMESWT_WT's tweet image. "PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa
JAMESWT_WT's tweet image. "PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa
2
5
22
3
4K
CERT_OPL's profile picture. Jednostka reagowania na incydenty bezp. @Orange_Polska. Certified by Trusted Introducer ('01), @firstdotorg ('11). Kontakt: cert.opl@orange.com; SMS 508 700 900
CERT Orange Polska
@CERT_OPL
Mar 21, 2024

A @pmmkowalczyk jak nie ze swojego konta, to na naszej stronie. Zerknijcie na analizę nowego #njrat, tym razem z #DBATLoader. cert.orange.pl/aktualnosci/re…

CERT_OPL's tweet image. A @pmmkowalczyk jak nie ze swojego konta, to na naszej stronie. Zerknijcie na analizę nowego #njrat, tym razem z #DBATLoader. cert.orange.pl/aktualnosci/re…
1
4
11
0
2K
FatzQatz's profile picture. As a hobbyist in malware analysis, I enjoy uncovering cyber threats for fun.
FatzQatz
 @FatzQatz
Dec 10

Threat actor turns a Cabinet (CAB) file into the Loader. It dropped #ModiLoader (aka #DBatLoader) and ultimately deployed Agent Tesla. NEOMS_EOI_FORM.cmd (yep this is CAB file) SHA256: a631e4304cf932de1129cc660fd648125226cfee4059321b4e2048c38b2f9357 Rules & IOCs in🧵 #malware

FatzQatz's tweet image. Threat actor turns a Cabinet (CAB) file into the Loader. It dropped #ModiLoader (aka #DBatLoader) and ultimately deployed Agent Tesla. NEOMS_EOI_FORM.cmd (yep this is CAB file) SHA256: a631e4304cf932de1129cc660fd648125226cfee4059321b4e2048c38b2f9357 Rules & IOCs in🧵 #malware
1
1
3
1
378
anyrun_app's profile picture. Empowering businesses with proactive security solutions: Interactive Sandbox, TI Lookup and Feeds. Sign up: https://t.co/8hIX0Qh5ME
ANY.RUN
@anyrun_app
Nov 30, 2023

Update in #Malware Trends Tracker: #DBatLoader 🔍 This #loader uses Discord and OneDrive to host malicious payloads and drops different #malware, including #Remcos and #Formbook. Keep up with its latest samples and #IOCs👉 any.run/malware-trends…

anyrun_app's tweet image. Update in #Malware Trends Tracker: #DBatLoader 🔍 This #loader uses Discord and OneDrive to host malicious payloads and drops different #malware, including #Remcos and #Formbook. Keep up with its latest samples and #IOCs👉 any.run/malware-trends…
1
3
14
1
3K
whaleboneio's profile picture. We provide millions of everyday internet users unyielding protection without the need for them to download anything.
Whalebone
 @whaleboneio
Apr 3, 2023

In the recent campaign, hackers are sending phishing emails containing malicious files. These files then download and install malware from WordPress websites. Read more ⬇️ #whalebone #zerodaythreatprevention #DBatLoader #securityfirst #whaleboneshorts

whaleboneio's tweet image. In the recent campaign, hackers are sending phishing emails containing malicious files. These files then download and install malware from WordPress websites. Read more ⬇️ #whalebone #zerodaythreatprevention #DBatLoader #securityfirst #whaleboneshorts
1
2
3
0
91
twelvesec's profile picture. Information security , knowledge sharing, community supporter.
twelvesec
 @twelvesec
Apr 1, 2023

#DBatLoader, aka #ModiLoader & #NatsoLoader, is being used in several #phishing campaigns to target manufacturing companies and various businesses in Europe. #CyberSecurity #infosec #cybercrime buff.ly/40QJSUw

twelvesec's tweet image. #DBatLoader, aka #ModiLoader & #NatsoLoader, is being used in several #phishing campaigns to target manufacturing companies and various businesses in Europe. #CyberSecurity #infosec #cybercrime buff.ly/40QJSUw
0
1
2
0
161
TweetThreatNews's profile picture. 🔍 ThreatResearch 📰 CybersecurityNews 🖥️ RansomMonitor 📂 Cyber Attack 📂 Data Breach 🎥 Youtube
Cybersecurity News Everyday
 @TweetThreatNews
Aug 21

DBatLoader, a Delphi-compiled Windows x86 malware, uses heavy obfuscation, import hiding, and anti-analysis to maintain stealthy surveillance, registry edits, screenshot capture, and possible keylogging in enterprise environments. #DBatLoader #DelphiMalwift.tt/yFGwHSV

0
2
2
0
176
skocherhan's profile picture. Digital nomad, exploring the cyber frontier.
ܛܔܔܔܛܔܛܔܛ
@skocherhan
May 27

32ba1ee78874a80a23a0d09427d52af6 05ef4ca659965c1d3faa58077b0f9943 #FormBook #ModiLoader #DBatLoader

skocherhan's tweet image. 32ba1ee78874a80a23a0d09427d52af6 05ef4ca659965c1d3faa58077b0f9943 #FormBook #ModiLoader #DBatLoader
skocherhan's tweet image. 32ba1ee78874a80a23a0d09427d52af6 05ef4ca659965c1d3faa58077b0f9943 #FormBook #ModiLoader #DBatLoader
marsomx_'s profile picture. 🇮🇹 | IT Engineer with Cyber Security passion | Malware Analysis | Reverse Engineering | CTI - views and opinions are solely my own -
Simplicio Sam L.
 @marsomx_
May 3

[4/4] drop url: 176.65.144[.23/ff/kkinng.txt sha256: 954b611a8e8163b42691ec83d4ff0077ef6f80505a434d03e04c9ae19494ea13 bazaar.abuse.ch/browse/tag/176…

0
0
2
0
337
0
0
1
0
210
anyrun_app's profile picture. Empowering businesses with proactive security solutions: Interactive Sandbox, TI Lookup and Feeds. Sign up: https://t.co/8hIX0Qh5ME
ANY.RUN
@anyrun_app
May 23

🎣 Look out for this new #phishing campaign #DBatLoader deploys #Remcos by abusing .pif (Program Information Files) to evade detection and execute the final payload See analysis of the full attack chain 👇 any.run/cybersecurity-…

anyrun_app's tweet card. Learn about a new phishing campaign spreading Remcos through DBatLoader. It employs UAC bypass and obfuscated scripts to compromise systems.
Phishing Campaign: DBatLoader Delivers Remcos via UAC Bypass
Source: any.run
0
7
14
2
2K
petikvx's profile picture. Malware Researcher Collecter - All my samples will be on https://t.co/ifIYiMAyVd
petikvx
@petikvx
May 22

🔒⚠️ New DBatLoader campaign observed!👀 Drops Remcos RAT onto unsuspecting users' computers for data theft👾🔓. Stay vigilant and protect your digital fortress!💻🔐 #CyberSecurity #MalwareAlert #DBatLoader #Remcos 🚫🕵️‍♂️👨‍💻 any.run/cybersecurity-… #anyrunptk

petikvx's tweet card. Learn about a new phishing campaign spreading Remcos through DBatLoader. It employs UAC bypass and obfuscated scripts to compromise systems.
Phishing Campaign: DBatLoader Delivers Remcos via UAC Bypass
Source: any.run
1
1
4
0
446
JAMESWT_WT's profile picture. #Independent #Malware #Hunter #CyberSecurity #InfoSec https://t.co/KCFBJcHHcW https://t.co/WODUKncjFy
JAMESWT
 @JAMESWT_WT
May 21

"PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa

JAMESWT_WT's tweet image. "PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa
JAMESWT_WT's tweet image. "PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa
JAMESWT_WT's tweet image. "PAGAMENTO FATTURA PRO-FORMA 394" spread #DbatLoader #RemcosRat Samples👇 bazaar.abuse.ch/browse/tag/198… AnyRun👇 app.any.run/tasks/7c7fbeb0… ⛔️C2 198.23.227[.]212:32583 BotnetYavakosa
2
5
22
3
4K
AhnLabGlobal's profile picture. Detect, Respond and Evolve Security Powered by AI https://t.co/f8C2k87YEw
AhnLab
@AhnLabGlobal
May 19

⚠️ A #phishing campaign targeting Turkish users is distributing #DBatLoader via fake transaction record emails. Stay cautious on executing script extensions from phishing emails and keep security products up to date to prevent attacks. 🔗 Read more: asec.ahnlab.com/en/88025/ #TI

AhnLabGlobal's tweet image. ⚠️ A #phishing campaign targeting Turkish users is distributing #DBatLoader via fake transaction record emails. Stay cautious on executing script extensions from phishing emails and keep security products up to date to prevent attacks. 🔗 Read more: asec.ahnlab.com/en/88025/ #TI
0
1
5
0
256
anyrun_app's profile picture. Empowering businesses with proactive security solutions: Interactive Sandbox, TI Lookup and Feeds. Sign up: https://t.co/8hIX0Qh5ME
ANY.RUN
@anyrun_app
May 15

🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT. The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to…

anyrun_app's tweet image. 🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT. The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to…
1
43
111
51
8K
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Jan 10

2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0

Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
0
43
112
30
9K
FatzQatz's profile picture. As a hobbyist in malware analysis, I enjoy uncovering cyber threats for fun.
FatzQatz
 @FatzQatz
Dec 10

Threat actor turns a Cabinet (CAB) file into the Loader. It dropped #ModiLoader (aka #DBatLoader) and ultimately deployed Agent Tesla. NEOMS_EOI_FORM.cmd (yep this is CAB file) SHA256: a631e4304cf932de1129cc660fd648125226cfee4059321b4e2048c38b2f9357 Rules & IOCs in🧵 #malware

FatzQatz's tweet image. Threat actor turns a Cabinet (CAB) file into the Loader. It dropped #ModiLoader (aka #DBatLoader) and ultimately deployed Agent Tesla. NEOMS_EOI_FORM.cmd (yep this is CAB file) SHA256: a631e4304cf932de1129cc660fd648125226cfee4059321b4e2048c38b2f9357 Rules & IOCs in🧵 #malware
1
1
3
1
378
MalwarePatrol's profile picture. Malware Patrol's cyber #threatintelligence solutions offer a comprehensive view of the external threat landscape. #infosec #cybersec #APT #malware #phishing
Malware Patrol
 @MalwarePatrol
Aug 1, 2024

"instead, in all nine campaigns, #attackers used #ModiLoader (aka #DBatLoader) as the preferred delivery tool of choice. The final payload to be delivered and launched on the compromised machines varied" welivesecurity.com/en/eset-resear…

0
0
0
0
110
c_APT_ure's profile picture. #InfoSec professional, husband & father of two (in random order). #BlueTeam #DFIR #APT #CTI #RedTeaming #BSidesZH (RT/Likes ≠ endorsement) 👀➡️#MalwareChallenge
TomU | I'm still here... til the end 🕊️🇨🇭
 @c_APT_ure
Jun 28, 2024

Jep, #DBatLoader and #Remcos RAT C2: severdops[.]ddns[.]net Has been used since 2021 😮 for many different RATs and stealers I would guess this could be #DESKTOPgroup 🤔

c_APT_ure's tweet image. Jep, #DBatLoader and #Remcos RAT C2: severdops[.]ddns[.]net Has been used since 2021 😮 for many different RATs and stealers I would guess this could be #DESKTOPgroup 🤔
c_APT_ure's tweet image. Jep, #DBatLoader and #Remcos RAT C2: severdops[.]ddns[.]net Has been used since 2021 😮 for many different RATs and stealers I would guess this could be #DESKTOPgroup 🤔
2
0
1
1
377
naumovax's profile picture. pt malicious network traffic researcher, speaker / this blog about new malware & interesting С2 communication & my work life
Kseniia \n
 @naumovax
Jun 24, 2024

#DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…

naumovax's tweet image. #DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…
naumovax's tweet image. #DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…
1
15
35
15
3K
NDA0E's profile picture.
NDA0E
 @NDA0E
May 16, 2024

#opendir #DBatLoader #XWorm #RemcosRAT 144.126.134.25:5000 144.126.134.25:8080 #AS40021 @ContaboCom climb-items-macedonia-hometown.trycloudflare[.]com climb-items-macedonia-hometown.trycloudflare[.]com:8080 Full list: paste.ee/r/wD2MX/0

NDA0E's tweet image. #opendir #DBatLoader #XWorm #RemcosRAT 144.126.134.25:5000 144.126.134.25:8080 #AS40021 @ContaboCom climb-items-macedonia-hometown.trycloudflare[.]com climb-items-macedonia-hometown.trycloudflare[.]com:8080 Full list: paste.ee/r/wD2MX/0
NDA0E's tweet image. #opendir #DBatLoader #XWorm #RemcosRAT 144.126.134.25:5000 144.126.134.25:8080 #AS40021 @ContaboCom climb-items-macedonia-hometown.trycloudflare[.]com climb-items-macedonia-hometown.trycloudflare[.]com:8080 Full list: paste.ee/r/wD2MX/0
NDA0E's tweet image. #opendir #DBatLoader #XWorm #RemcosRAT 144.126.134.25:5000 144.126.134.25:8080 #AS40021 @ContaboCom climb-items-macedonia-hometown.trycloudflare[.]com climb-items-macedonia-hometown.trycloudflare[.]com:8080 Full list: paste.ee/r/wD2MX/0
NDA0E's tweet image. #opendir #DBatLoader #XWorm #RemcosRAT 144.126.134.25:5000 144.126.134.25:8080 #AS40021 @ContaboCom climb-items-macedonia-hometown.trycloudflare[.]com climb-items-macedonia-hometown.trycloudflare[.]com:8080 Full list: paste.ee/r/wD2MX/0
0
0
2
0
253
c_APT_ure's profile picture. #InfoSec professional, husband & father of two (in random order). #BlueTeam #DFIR #APT #CTI #RedTeaming #BSidesZH (RT/Likes ≠ endorsement) 👀➡️#MalwareChallenge
TomU | I'm still here... til the end 🕊️🇨🇭
 @c_APT_ure
Apr 3, 2024

A couple more related samples added here 🧵 2⃣ #DBatLoader -> #Remcos RAT

c_APT_ure's profile picture. #InfoSec professional, husband & father of two (in random order). #BlueTeam #DFIR #APT #CTI #RedTeaming #BSidesZH (RT/Likes ≠ endorsement) 👀➡️#MalwareChallenge
TomU | I'm still here... til the end 🕊️🇨🇭
 @c_APT_ure
Apr 3, 2024

More similar samples (containing those "X509 CRL" tags) encoded payload here? (in between) TT copy_00285.bat:89:-----BEGIN X509 CRL----- TT copy_00285.bat:48752:-----END X509 CRL----- 1/n bazaar.abuse.ch/sample/4076e46…

1
0
2
1
493
0
0
0
0
231
No results for "#dbatloader"
ankit_anubhav's profile picture. Voice of IoT Security & awareness. I make the world of IoT a safer place. Ex- McAfee / FireEye / NewSky
Ankit Anubhav
@ankit_anubhav
Mar 4, 2022

#Redline malware flow Malspam -> zip -> .img -> .lnk -> powershell -> mshta -> powershell -> download exe -> encrypted onedrive file download -> decrypt on fly ( #Dbatloader ) -> theft I am seeing that whenever encrypted onedrive file is downloaded, user agent is "lVali" (1/2)

ankit_anubhav's tweet image. #Redline malware flow Malspam -> zip -> .img -> .lnk -> powershell -> mshta -> powershell -> download exe -> encrypted onedrive file download -> decrypt on fly ( #Dbatloader ) -> theft I am seeing that whenever encrypted onedrive file is downloaded, user agent is "lVali" (1/2)
ankit_anubhav's tweet image. #Redline malware flow Malspam -> zip -> .img -> .lnk -> powershell -> mshta -> powershell -> download exe -> encrypted onedrive file download -> decrypt on fly ( #Dbatloader ) -> theft I am seeing that whenever encrypted onedrive file is downloaded, user agent is "lVali" (1/2)
1
21
69
13
0
anyrun_app's profile picture. Empowering businesses with proactive security solutions: Interactive Sandbox, TI Lookup and Feeds. Sign up: https://t.co/8hIX0Qh5ME
ANY.RUN
@anyrun_app
May 15

🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT. The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to…

anyrun_app's tweet image. 🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT. The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to…
1
43
111
51
8K
d4rksystem's profile picture. Threat Research @proofpoint | Author of "Evasive Malware" @nostarch | Talks about cybercrime, threat intel, and malware stuff.
Kyle Cucci
 @d4rksystem
Mar 28, 2024

Recent variants of #DBatLoader #malware allocate large semi-random regions of memory before dropping the payload, which can be problematic for sandboxes. It calculates the memory allocation size using QueryPerformanceCounter and GetTickCount which act as a seed for a random size.

d4rksystem's tweet image. Recent variants of #DBatLoader #malware allocate large semi-random regions of memory before dropping the payload, which can be problematic for sandboxes. It calculates the memory allocation size using QueryPerformanceCounter and GetTickCount which act as a seed for a random size.
d4rksystem's tweet image. Recent variants of #DBatLoader #malware allocate large semi-random regions of memory before dropping the payload, which can be problematic for sandboxes. It calculates the memory allocation size using QueryPerformanceCounter and GetTickCount which act as a seed for a random size.
1
8
19
4
2K
0xToxin's profile picture. @msftsecurity | Chasing bad bois
Ne0ne | Igal
 @0xToxin
Jul 26, 2022

"Re: CR-FEDEX_TN-270036844357_DT-_CD-20220301_CT-0833" r00 archive -> exe -> #AvemariaRAT / #warzoneRAT uses #DBatLoader sender is impersonates to @FedEx VT Confidence: 13/69 Full IOC here: github.com/0xToxin/Malwar…

0xToxin's tweet image. "Re: CR-FEDEX_TN-270036844357_DT-_CD-20220301_CT-0833" r00 archive -> exe -> #AvemariaRAT / #warzoneRAT uses #DBatLoader sender is impersonates to @FedEx VT Confidence: 13/69 Full IOC here: github.com/0xToxin/Malwar…
1
12
25
3
0
herrcore's profile picture. UnpacMe | OALABS
herrcore
@herrcore
Sep 4, 2022

👁‍🗨👄👁‍🗨 We are live! Join us! Today, #dbatloader (#delphi) let’s reverse engineer in bat country!! #OALABS 🦇 twitch.tv/oalabslive

herrcore's tweet image. 👁‍🗨👄👁‍🗨 We are live! Join us! Today, #dbatloader (#delphi) let’s reverse engineer in bat country!! #OALABS 🦇 twitch.tv/oalabslive
0
3
28
1
0
ankit_anubhav's profile picture. Voice of IoT Security & awareness. I make the world of IoT a safer place. Ex- McAfee / FireEye / NewSky
Ankit Anubhav
@ankit_anubhav
Jul 29, 2022

#Modiloader / #Dbatloader The .z archive leads to exe, which uses lVali UserAgent to download encrypted file from Onedrive ( so MS doesn't take it down ). Post decryption its injected in legit MS process like sndvol to do the C2 comms on 42020 port. bazaar.abuse.ch/sample/4473b5d…

ankit_anubhav's tweet image. #Modiloader / #Dbatloader The .z archive leads to exe, which uses lVali UserAgent to download encrypted file from Onedrive ( so MS doesn't take it down ). Post decryption its injected in legit MS process like sndvol to do the C2 comms on 42020 port. bazaar.abuse.ch/sample/4473b5d…
ankit_anubhav's tweet image. #Modiloader / #Dbatloader The .z archive leads to exe, which uses lVali UserAgent to download encrypted file from Onedrive ( so MS doesn't take it down ). Post decryption its injected in legit MS process like sndvol to do the C2 comms on 42020 port. bazaar.abuse.ch/sample/4473b5d…
1
19
37
4
0
Gi7w0rm's profile picture. Threat Intelligence Analyst | See my Linktree for other socials | In case I post false intel, contact me! Support me: https://t.co/5WgDqr0K8p 🇪🇺🇩🇪🇺🇦🌈
Gi7w0rm
 @Gi7w0rm
Jul 30, 2023

Was bored so collected some additional #IoC. This time for #SystemBC from 2020-2023. Fewer than #DBatLoader collected last Wednesday, however due to its #ransomware ties probably way more important. Here you go: raw.githubusercontent.com/Gi7w0rm/Malwar…

Gi7w0rm's tweet image. Was bored so collected some additional #IoC. This time for #SystemBC from 2020-2023. Fewer than #DBatLoader collected last Wednesday, however due to its #ransomware ties probably way more important. Here you go: raw.githubusercontent.com/Gi7w0rm/Malwar…
Gi7w0rm's tweet image. Was bored so collected some additional #IoC. This time for #SystemBC from 2020-2023. Fewer than #DBatLoader collected last Wednesday, however due to its #ransomware ties probably way more important. Here you go: raw.githubusercontent.com/Gi7w0rm/Malwar…
1
7
30
3
4K
naumovax's profile picture. pt malicious network traffic researcher, speaker / this blog about new malware & interesting С2 communication & my work life
Kseniia \n
 @naumovax
Jun 24, 2024

#DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…

naumovax's tweet image. #DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…
naumovax's tweet image. #DBatLoader used for many #rat🐀 С2: IP, ports below in comment Final payload from blog.talosintelligence.com/new-banking-tr… (fresh #CarnavalHeist/#AllaSenha) reminds DBatLoader, script here -> github.com/executemalware… (outdated, e.g. no port 6281) tria.ge/231107-vt8bmsc… joesandbox.com/analysis/13473…
1
15
35
15
3K
herrcore's profile picture. UnpacMe | OALABS
herrcore
@herrcore
Oct 16, 2022

🫣 we are live! Join us as we build a simple #botnet tracker for #dbatloader #OALABS twitch.tv/oalabslive

herrcore's tweet image. 🫣 we are live! Join us as we build a simple #botnet tracker for #dbatloader #OALABS twitch.tv/oalabslive
1
2
22
5
0
Gi7w0rm's profile picture. Threat Intelligence Analyst | See my Linktree for other socials | In case I post false intel, contact me! Support me: https://t.co/5WgDqr0K8p 🇪🇺🇩🇪🇺🇦🌈
Gi7w0rm
 @Gi7w0rm
Jul 27, 2023

This week's main focus was on collecting indicators for #DBatLoader. Using some self-made scripts I collected 1621 URLs used between 2020-2023 to download the final payload stage. 23 of those were still online at the time of scanning. All indicators were shared via known channels

Gi7w0rm's tweet image. This week's main focus was on collecting indicators for #DBatLoader. Using some self-made scripts I collected 1621 URLs used between 2020-2023 to download the final payload stage. 23 of those were still online at the time of scanning. All indicators were shared via known channels
Gi7w0rm's tweet image. This week's main focus was on collecting indicators for #DBatLoader. Using some self-made scripts I collected 1621 URLs used between 2020-2023 to download the final payload stage. 23 of those were still online at the time of scanning. All indicators were shared via known channels
1
2
7
0
887
Unit42_Intel's profile picture. The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Unit 42
 @Unit42_Intel
Jan 10

2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0

Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
Unit42_Intel's tweet image. 2025-01-10 (Fri): We still find malicious Office docs in the wild exploiting CVE-2017-0199, often using #steganography to avoid detection. One such chain recently led to #DBatLoader/#GuLoader-style malware for #AgentTesla with FTP data exfil. More info at: bit.ly/40ewwT0
0
43
112
30
9K
kienbigmummy's profile picture. Work hard in silence , let success make the noise.
m4n0w4r
 @kienbigmummy
May 16, 2023

📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.

kienbigmummy's tweet image. 📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.
kienbigmummy's tweet image. 📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.
kienbigmummy's tweet image. 📄#DBatLoader Old vs New 👉Old Dll uses APIs from Wininet.dll to download encrypted payload from decrypted url. 👉New Dll uses COM object to download encrypted payload from decrypted url.
0
13
50
6
6K
pollo290987's profile picture.
\_(ʘ_ʘ)_/
 @pollo290987
Aug 3, 2022

#DBatLoader #RemcosRAT Envision Digital.exe e52cf82f435602239c33092829fcf8f1 DBat /mkdvesti.com/F437E4455F6689E610resi25412545d3437E44F6689E61025874515/Wiupbuvvpxknaamhtjrsejoreaxeszq Remcos d94721da651457b288e89a4d0da22453 C2 micenaxus,com:2404

pollo290987's tweet image. #DBatLoader #RemcosRAT Envision Digital.exe e52cf82f435602239c33092829fcf8f1 DBat /mkdvesti.com/F437E4455F6689E610resi25412545d3437E44F6689E61025874515/Wiupbuvvpxknaamhtjrsejoreaxeszq Remcos d94721da651457b288e89a4d0da22453 C2 micenaxus,com:2404
pollo290987's tweet image. #DBatLoader #RemcosRAT Envision Digital.exe e52cf82f435602239c33092829fcf8f1 DBat /mkdvesti.com/F437E4455F6689E610resi25412545d3437E44F6689E61025874515/Wiupbuvvpxknaamhtjrsejoreaxeszq Remcos d94721da651457b288e89a4d0da22453 C2 micenaxus,com:2404
0
5
8
1
0
Tac_Mangusta's profile picture. recce cyber threat landscape
Mangusta
 @Tac_Mangusta
Jun 6, 2023

#dbatloader spread via mail "New Purchase Order" url > .pdf.img > .exe 🔗p://www.islamicbankbd.]org/document/PurchaseOrder52435374.pdf 🔥p://ecmtibbiclhazlar.]com/cyxjElXJ/205_Chilrcjtcqn Now stager and C2 seems disabled and redirect to RickRoll

Tac_Mangusta's tweet image. #dbatloader spread via mail "New Purchase Order" url > .pdf.img > .exe 🔗p://www.islamicbankbd.]org/document/PurchaseOrder52435374.pdf 🔥p://ecmtibbiclhazlar.]com/cyxjElXJ/205_Chilrcjtcqn Now stager and C2 seems disabled and redirect to RickRoll
Tac_Mangusta's tweet image. #dbatloader spread via mail "New Purchase Order" url > .pdf.img > .exe 🔗p://www.islamicbankbd.]org/document/PurchaseOrder52435374.pdf 🔥p://ecmtibbiclhazlar.]com/cyxjElXJ/205_Chilrcjtcqn Now stager and C2 seems disabled and redirect to RickRoll
1
4
18
1
3K
0xToxin's profile picture. @msftsecurity | Chasing bad bois
Ne0ne | Igal
 @0xToxin
Aug 2, 2022

"RE: [EXTERNAL] RE: RE: Plaćanje stanja" zip -> exe -> #DbatLoader -> #Remcos targets croatian audience. VT confidence: 20/71 Full IOC here: github.com/0xToxin/Malwar…

0xToxin's tweet image. "RE: [EXTERNAL] RE: RE: Plaćanje stanja" zip -> exe -> #DbatLoader -> #Remcos targets croatian audience. VT confidence: 20/71 Full IOC here: github.com/0xToxin/Malwar…
0
3
8
0
0

Something went wrong.


Something went wrong.


United States Trends