MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7
SHA3-384 hash: c65e0db877e6a202e1e1f272011330d8218420d69de279232685e2abc8d114d3ade9a78e1395de502bd7f915dc5f8296
SHA1 hash: db5defc22ea4526abafcd8ebc916ddf90c42caf2
MD5 hash: 5120a1ff676e7185f4cd3c40f6159082
humanhash: florida-london-jupiter-utah
File name:Wondershare Filmora 12 License.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'996'595 bytes
First seen:2023-10-28 07:06:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep 196608:ucxUjY7JXmh0UdnFQNbOl+KpbhKrqh5iLGY:VpKCNJK5gqhEz
Threatray 96 similar samples on MalwareBazaar
TLSH T192662207E284CFB3DF6600B748D183E36DAA792BC622457A56FC560E59207B18A1F7D3
TrID 86.1% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
5.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.4% (.EXE) Win64 Executable (generic) (10523/12/4)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5c1a62e29098b2e8 (1 x DanaBot)
Reporter likeastar20
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
463
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456816/
Detection(s):
Win.Packed.Uztuby-10007804-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a file
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin overlay packed replace setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/653cb316a6fa5eab936932a0/reports/4f8ed6fd-bc5b-4f38-9e56-b56e5f40c6b5/overview
Verdict:
Malicious
Labled as:
Trojan.Zenpak
Link:
https://www.hybrid-analysis.com/sample/0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1e8262c4-33ec-48b4-bf33-89b6afdb46f9
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1333648
Signature
Contain functionality to detect virtual machines
Found API chain indicative of debugger detection
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1333648 Sample: Wondershare_Filmora_12_Lice... Startdate: 28/10/2023 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected DanaBot stealer dll 2->68 70 2 other signatures 2->70 9 Wondershare_Filmora_12_License.exe 14 2->9         started        13 VBoxExtPackHelperApp.exe 1 2->13         started        process3 file4 46 C:\Users\user\AppData\Local\...\VBoxRT.dll, PE32+ 9->46 dropped 48 C:\Users\user\...\VBoxExtPackHelperApp.exe, PE32+ 9->48 dropped 50 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32+ 9->50 dropped 52 C:\Users\user\AppData\Local\...\msvcp100.dll, PE32+ 9->52 dropped 80 Contain functionality to detect virtual machines 9->80 15 VBoxExtPackHelperApp.exe 1 9->15         started        82 Maps a DLL or memory area into another process 13->82 18 cmd.exe 2 13->18         started        signatures5 process6 file7 90 Contain functionality to detect virtual machines 15->90 92 Maps a DLL or memory area into another process 15->92 21 cmd.exe 4 15->21         started        42 C:\Users\user\AppData\Local\Temp\swuqv, PE32 18->42 dropped 94 Injects code into the Windows Explorer (explorer.exe) 18->94 96 Writes to foreign memory regions 18->96 25 explorer.exe 1 18->25         started        27 conhost.exe 18->27         started        signatures8 process9 file10 44 C:\Users\user\AppData\Local\Temp\gjqqqq, PE32 21->44 dropped 72 Injects code into the Windows Explorer (explorer.exe) 21->72 74 Writes to foreign memory regions 21->74 76 Found hidden mapped module (file has been removed from disk) 21->76 29 explorer.exe 2 21->29         started        33 conhost.exe 21->33         started        35 rundll32.exe 4 25->35         started        signatures11 process12 dnsIp13 54 C:\ProgramData\Rodrwahpqerh.tmp, DOS 29->54 dropped 84 Found API chain indicative of debugger detection 29->84 86 May use the Tor software to hide its network traffic 29->86 88 Writes to foreign memory regions 29->88 38 rundll32.exe 1 4 29->38         started        56 127.0.0.1 unknown unknown 35->56 file14 signatures15 process16 dnsIp17 58 195.2.75.109, 443, 49719, 49722 VDSINA-ASRU Russian Federation 38->58 60 88.218.61.195, 443, 49721, 49729 E-STYLEISP-ASRU Russian Federation 38->60 62 178.20.47.4, 443, 49720, 49728 ASN-FRWInternetServiceProviderIT Russian Federation 38->62 78 System process connects to network (likely due to code injection or exploit) 38->78 signatures18
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7/
Threat name:
Win32.Spyware.Raccoonstealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-25 01:28:58 UTC
File Type:
PE (Exe)
Extracted files:
557
AV detection:
24 of 37 (64.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ava67fs5wk4sdwhyv6jpb64e5ykwdv53bdeuz6yyi7namq2psh3q._file
Verdict:
malicious
Similar samples:
2ee350a3c3c03283a1458ff5e3e142d91b46a8fecd846ec8df0d1edca7c1e4cf
DanaBot
4ba96ecdcdfa746de28a0ee3ef474842e829917c9486ace35ec4cc2fa1ad956f
DanaBot
6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
DanaBot
76036d4aabf28f8a735919c2f9fccf8c4290dd41ff7ebb5d25d08f1278b240bb
DanaBot
8f6df7df63e769169784c8909e9138c0aa632cc23a24ecb61496fa152230ae07
DanaBot
b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
DanaBot
f57dab60885da9213f24b4896129182cb29ad3bd7be194685b68d61e6357188b
DanaBot
+ 86 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/231028-hxmswsfc5w/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Danabot
Unpacked files
SH256 hash:
0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7
MD5 hash:
5120a1ff676e7185f4cd3c40f6159082
SHA1 hash:
db5defc22ea4526abafcd8ebc916ddf90c42caf2
Link:
https://www.unpac.me/results/a6fbccf6-1a84-469e-8a08-4db7d52a6103/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0541ef965db2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456816/

Comments