MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 027e8e4c1ceb0fd7444db0509a32cd812caa15e3a0c5625a01dee747ad1e984c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 027e8e4c1ceb0fd7444db0509a32cd812caa15e3a0c5625a01dee747ad1e984c
SHA3-384 hash: 4f33f16e6deaa713ac7c50d066de850f47dda17125a9871af28317ded38ecec8902bafe182940c263cf9df37f897c66a
SHA1 hash: 841284da709d70037c7759afbd9ef31365236c2d
MD5 hash: 778092be71e21474fd45b2b243ee223c
humanhash: monkey-august-crazy-blue
File name:778092be71e21474fd45b2b243ee223c
Download: download sample
Signature DanaBot
Create hunting rule
File size:4'547'595 bytes
First seen:2021-09-18 10:50:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:fZWQcy9gX4QDmnqFOKW+aE7HxgeoA4U7phmoykVDwDCgC:fsA44QD5EG7vC6h1f
Threatray 492 similar samples on MalwareBazaar
TLSH T1412633277FA3102AEAD2033103F7161AEF72BDD21F9646107BA0DAEF55A9B560674F10
dhash icon f2cecc8e86cce892 (6 x DanaBot, 1 x CyberGate, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
778092be71e21474fd45b2b243ee223c
Verdict:
No threats detected
Analysis date:
2021-09-18 10:52:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/024ddabb-86e7-4f1d-9914-c82c442ca9b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188924/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Searching for the window
Creating a file in the Windows subdirectories
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88cdea9d-7b7a-4e66-b14a-2cb32f3fef7e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853178
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 485609 Sample: 0WIFDnycmD Startdate: 18/09/2021 Architecture: WINDOWS Score: 100 78 ic-54113400-0a7b2f-windowsupdate48.s.loris.llnwd.net 2->78 104 Multi AV Scanner detection for domain / URL 2->104 106 Antivirus / Scanner detection for submitted sample 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 5 other signatures 2->110 13 0WIFDnycmD.exe 25 2->13         started        16 IntelRapid.exe 2->16         started        19 IntelRapid.exe 2->19         started        signatures3 process4 file5 68 C:\Users\user\AppData\Local\...\vidduivp.exe, PE32 13->68 dropped 70 C:\Users\user\AppData\Local\...\feared.exe, PE32+ 13->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 13->72 dropped 74 3 other files (none is malicious) 13->74 dropped 21 vidduivp.exe 19 13->21         started        25 feared.exe 4 13->25         started        90 Query firmware table information (likely to detect VMs) 16->90 92 Hides threads from debuggers 16->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->94 signatures6 process7 file8 62 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 21->62 dropped 116 Machine Learning detection for dropped file 21->116 27 cmd.exe 1 21->27         started        64 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 25->64 dropped 118 Query firmware table information (likely to detect VMs) 25->118 120 Hides threads from debuggers 25->120 122 Tries to detect sandboxes / dynamic malware analysis system (registry check) 25->122 30 IntelRapid.exe 25->30         started        signatures9 process10 signatures11 128 Submitted sample is a known malware sample 27->128 130 Obfuscated command line found 27->130 132 Uses ping.exe to check the status of other devices and networks 27->132 32 cmd.exe 3 27->32         started        35 conhost.exe 27->35         started        134 Query firmware table information (likely to detect VMs) 30->134 136 Hides threads from debuggers 30->136 138 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->138 process12 signatures13 96 Obfuscated command line found 32->96 37 Hai.exe.com 32->37         started        40 PING.EXE 1 32->40         started        43 findstr.exe 1 32->43         started        process14 dnsIp15 112 Uses nslookup.exe to query domains 37->112 46 Hai.exe.com 1 37->46         started        82 127.0.0.1 unknown unknown 40->82 66 C:\Users\user\AppData\Roaming\Hai.exe.com, Targa 43->66 dropped file16 signatures17 process18 dnsIp19 86 TyNEAAOqElOMWAdYPaps.TyNEAAOqElOMWAdYPaps 46->86 88 192.168.2.1 unknown unknown 46->88 76 C:\Users\user\AppData\Roaming\nslookup.exe, PE32 46->76 dropped 98 Uses nslookup.exe to query domains 46->98 100 Writes to foreign memory regions 46->100 102 Maps a DLL or memory area into another process 46->102 51 nslookup.exe 3 18 46->51         started        file20 signatures21 process22 dnsIp23 80 ip-api.com 208.95.112.1, 49788, 80 TUT-ASUS United States 51->80 60 C:\Users\user\AppData\Local\...\nawttwqrk.vbs, ASCII 51->60 dropped 114 May check the online IP address of the machine 51->114 56 wscript.exe 12 51->56         started        file24 signatures25 process26 dnsIp27 84 iplogger.org 88.99.66.31, 443, 49789 HETZNER-ASDE Germany 56->84 124 System process connects to network (likely due to code injection or exploit) 56->124 126 May check the online IP address of the machine 56->126 signatures28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/027e8e4c1ceb0fd7444db0509a32cd812caa15e3a0c5625a01dee747ad1e984c/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-18 10:51:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a3c1d6736893714d0e5552795fb8ba026ba2bd3f5e34afd975b9d463c1e46fe
DanaBot
2afd735ca5d2ad8a8478c4832e4827b150e30d5f0b7c1dc174ce934017ee1d76
DanaBot
c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3
DanaBot
eb40273cc80a326126fdc5eecac7a0805f33c071e8e435814c3d04bc48d04878
DanaBot
f4da967e84e593cadb3e0a622f59dc4bbc7393c4aeef1a29df60b37b57548299
DanaBot
fe0921df62f37332cab9e56fbbfe050e204e196e55eb323657c1f0469a6ff27b
DanaBot
+ 482 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/210918-mxtnnahcb9/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
23.254.144.209:443
23.254.227.74:443
192.255.166.212:443
Unpacked files
SH256 hash:
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1
MD5 hash:
09c2e27c626d6f33018b8a34d3d98cb6
SHA1 hash:
8d6bf50218c8f201f06ecf98ca73b74752a2e453
Link:
https://www.unpac.me/results/fd638e72-781e-44b3-bc0b-61ab1f5aaf76/
SH256 hash:
d8cad9404098fbc9b95eedd91af5a2f848f5e678edea230ca682b0c45b6ba0e0
MD5 hash:
18ade40d83f1289b040991f5a9cf53f3
SHA1 hash:
17a83647abd8acbc31d7c5197af910005baffaa2
Link:
https://www.unpac.me/results/fd638e72-781e-44b3-bc0b-61ab1f5aaf76/
SH256 hash:
aed9f33d7f61a3e6e545e0eb031e42725883a06fa7ba9af84244b93291c30b4d
MD5 hash:
de6d05d618e437ccc45d8411c80982c4
SHA1 hash:
aa5927ef890705138e7fe9380cb07eb53577b777
Link:
https://www.unpac.me/results/fd638e72-781e-44b3-bc0b-61ab1f5aaf76/
SH256 hash:
f1f04964db9b71f0853b5604ec26f33d06fb239863a1b64af71cc557192b76d3
MD5 hash:
28d4362e0209278d272282e6135a8fe0
SHA1 hash:
c7bdb9b74c12aa8b1d72c6f4789e18586dcde34d
Link:
https://www.unpac.me/results/fd638e72-781e-44b3-bc0b-61ab1f5aaf76/
SH256 hash:
027e8e4c1ceb0fd7444db0509a32cd812caa15e3a0c5625a01dee747ad1e984c
MD5 hash:
778092be71e21474fd45b2b243ee223c
SHA1 hash:
841284da709d70037c7759afbd9ef31365236c2d
Link:
https://www.unpac.me/results/fd638e72-781e-44b3-bc0b-61ab1f5aaf76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/027e8e4c1ceb0fd7444db0509a32cd812caa15e3a0c5625a01dee747ad1e984c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 027e8e4c1ceb0fd7444db0509a32cd812caa15e3a0c5625a01dee747ad1e984c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1630052/
Cape
Cape
https://www.capesandbox.com/analysis/188924/

Comments


Avatar
zbet commented on 2021-09-18 10:50:25 UTC

url : hxxp://cazars09.top/downfiles/lv.exe