MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3
SHA3-384 hash: a8378a903ad1ec3e096ca1b9fb6483f13305b1cee8cfaca8048fb8b3ba48422d4d2a9d96bbff69203e08b16e5b15c257
SHA1 hash: 6af9bb4cb10f0d765cf87b71f5dcfa3c5d7d61f6
MD5 hash: 57afe7c6eae81f93e3e6a085b6bd7961
humanhash: hydrogen-vegan-early-cola
File name:Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:4'754'432 bytes
First seen:2020-08-02 15:28:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 98304:O/KyGgrf/TiG4GR0msmwCiYZHImJyS5qGWxpPr2C9rPZ:MZGgrf6GRFn3a/Sw7pPnrP
Threatray 48 similar samples on MalwareBazaar
TLSH 3C26233383E9283BDBD3DCB5B8C1B51CD4AF1E543790990EA210BBD875E299661C1B1E
Reporter vm001cn
Tags:DanaBot packed Themida

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'084
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37194/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Delayed writing of the file
Delayed reading of the file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/407203
Signature
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255832 Sample: YpS37PYyjS.exe Startdate: 02/08/2020 Architecture: WINDOWS Score: 96 60 May check the online IP address of the machine 2->60 62 Machine Learning detection for sample 2->62 64 Machine Learning detection for dropped file 2->64 66 2 other signatures 2->66 9 YpS37PYyjS.exe 20 2->9         started        process3 dnsIp4 46 ip-api.com 208.95.112.1, 49714, 80 TUT-ASUS United States 9->46 48 bitbucket.org 18.205.93.1, 443, 49715 AMAZON-AESUS United States 9->48 50 2 other IPs or domains 9->50 40 C:\Users\user\AppData\Local\...\uicwppoup.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\sfmmlsi.exe, PE32+ 9->42 dropped 44 C:\Users\user\AppData\Local\...\6[1].exe, PE32 9->44 dropped 80 Detected unpacking (changes PE section rights) 9->80 82 Tries to detect virtualization through RDTSC time measurements 9->82 84 Hides threads from debuggers 9->84 86 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->86 14 cmd.exe 1 9->14         started        16 cmd.exe 1 9->16         started        18 cmd.exe 3 2 9->18         started        file5 signatures6 process7 process8 20 uicwppoup.exe 3 14->20         started        23 conhost.exe 14->23         started        25 sfmmlsi.exe 35 16->25         started        28 conhost.exe 16->28         started        30 wscript.exe 12 18->30         started        32 conhost.exe 18->32         started        dnsIp9 68 Detected unpacking (changes PE section rights) 20->68 70 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->70 72 Machine Learning detection for dropped file 20->72 78 3 other signatures 20->78 52 otteppp04.top 193.201.126.21, 49721, 80 WEBHOST1-ASRU Russian Federation 25->52 54 doorres02.top 37.46.132.97, 49725, 80 THEFIRST-ASRU Russian Federation 25->54 74 Tries to harvest and steal browser information (history, passwords, etc) 25->74 34 cmd.exe 1 25->34         started        56 iplogger.org 88.99.66.31, 443, 49713 HETZNER-ASDE Germany 30->56 58 192.168.2.1 unknown unknown 30->58 76 System process connects to network (likely due to code injection or exploit) 30->76 signatures10 process11 process12 36 conhost.exe 34->36         started        38 timeout.exe 1 34->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2020-08-01 22:29:08 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhadoocovkbha25ppq6nlykvb7u22jaih3pladsv3hnidghkn3rq._file
Verdict:
malicious
Similar samples:
1466a3a68f3c7f673d4b8ba514bc078fadda4c009f342c077f1d6cb0710d9b72
DanaBot
2ba0f2e22ed07ca3188c898a0c9256fd30e878916ebe669ed52b25cb18d5ccde
DanaBot
2d403f971f502d2423b11dcca6424edc460b6c290cb76107d7f36a37565791e8
DanaBot
450224b458d5d44cbaf62d95e18face27de776ed227ba0f7dc7e12bd07f64c9b
DanaBot
4d9b89978e6ca9cf14cb1f04859e01e66c1e0dbefedd1663617647535c0b3fa0
DanaBot
6005ff1373b7a3600ad4b5700b4d9b6c13827015a97fea1b030189655bd8e986
DanaBot
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
DanaBot
a0e9692a6a0f50890c03829cfc80dd4ef47aaf4ade8c2fd35a62c09d290171d3
DanaBot
a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b
DanaBot
f8915227c25c5ac552d66f3708f615cd517363953829d3715f38666d7dfa9770
DanaBot
+ 38 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
botnet persistence discovery trojan banker family:danabot evasion spyware
Link:
https://tria.ge/reports/200802-cy2hjfjv4j/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Checks processor information in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Enumerates connected drives
Checks installed software on the system
Accesses cryptocurrency wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of web browsers
Loads dropped DLL
Sets DLL path for service in the registry
Sets service image path in registry
Blacklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot x86 payload
Danabot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_cryptbot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/37194/

Comments