MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8
SHA3-384 hash: 23fec69ebf3821f663c22ca8b029909899cdcc0d73f10ed6c3b93c4e4774f386b210c2e603218b2b99c818b37b865527
SHA1 hash: f506d859a07b2693a5ce42d6e750d292fc767673
MD5 hash: 4bcbf697828bfa987e4f8ff1e83a1c6f
humanhash: butter-steak-sink-delta
File name:Capcha.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:4'669'440 bytes
First seen:2024-12-03 20:45:36 UTC
Last seen:2025-01-28 08:06:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f2c0b114952ed57c136661b1202110c3 (1 x DanaBot)
ssdeep 98304:wZ62+qcl4wZ933AjTlHlsCjZh2gIJ1+OUNayU+KC:wTK99HAxz1i+nr/
Threatray 200 similar samples on MalwareBazaar
TLSH T1172601D5E7A346B5C09157B0818A333B9AF28D246C5CCEE9E685F602DDB3F83A54834D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon c29aa2a2beba82d4 (1 x DanaBot)
Reporter k3dg3___
Tags:5-253-59-205 booking DanaBot exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
431
Origin country :
US US
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
Capcha.exe
Verdict:
Malicious activity
Analysis date:
2024-12-03 20:58:41 UTC
Tags:
danabot stealer danabot-unpacked
Link:
https://app.any.run/tasks/63d03067-b8cb-4f54-9e79-ce2d8f84c473

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674f6f20bc8c6beb307571a4
Tags:
shellcode virus small lien
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive fingerprint gcc packed packed packer_detected
Link:
https://www.filescan.io/uploads/674f6e0b7bae4cb482001539/reports/2b4ad5d6-4d1a-48a5-84e8-8aad0ed9caa4/overview
Verdict:
Suspicious
Labled as:
Malware_
Link:
https://www.hybrid-analysis.com/sample/0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eef7855d-0733-40d1-b6c8-81d0f920c979
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1567810
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potentially malicious time measurement code found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Score:
2%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6erm6qih4ln5pbhb6rsjzpu22yhuriz4sxptywrzgjzjssnmlea._file
Verdict:
suspicious
Label(s):
danabot
Create hunting rule
Similar samples:
3dcad5a8e080c674141c41686629e4e7a598bb6856a9ba97584ef83ff0a37f02
DanaBot
77922fc0233a99e959855ff093fc127dbee170208751f6c1fab6ed46a02f8f1b
DanaBot
7d224e040b9aaf934505f2615b7971bff1d5563252bddeaefb174d0c8fa034de
DanaBot
8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
DanaBot
af757d871c87055b362a777b1884556d0a59af3df2ff9edaf626d5d17939db08
DanaBot
b86d5ba2ec3c95ad28c63d2c1256a6ce067bbea9b3f2903babe468f53d3838ef
DanaBot
error
DanaBot
+ 190 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection discovery
Link:
https://tria.ge/reports/241203-zj95psynfr/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/94ea04c4-884c-4e4f-a33f-938da1d1568a
Unpacked files
SH256 hash:
bccb8f1c3763557cee3b038bda22c1195a1cee59634dc628e16a94b1b4ff54ab
MD5 hash:
77d2ca1548ab9b8c17b087625b3b10e4
SHA1 hash:
205bd1181b0c7f5da6090d663bb781c2f6090c85
Detections:
Danabot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
DanaBot
Create hunting rule
Link:
https://www.unpac.me/results/ebcc0125-c9e5-4cab-bcf2-288dae9da272/
SH256 hash:
0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8
MD5 hash:
4bcbf697828bfa987e4f8ff1e83a1c6f
SHA1 hash:
f506d859a07b2693a5ce42d6e750d292fc767673
Link:
https://www.unpac.me/results/ebcc0125-c9e5-4cab-bcf2-288dae9da272/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0789167a083f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

LummaStealer

Executable exe 5dadb92ae8a079920479ca10a8619cd40d582820bc4a023415ae5c080988d793

DanaBot

Executable exe 0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8

(this sample)

Joe
Joe Sandbox
https://jbxcloud.joesecurity.org/analysis/4269063/0/html
  
Delivery method
Distributed via e-mail link
  
Dropped by
SHA256 5dadb92ae8a079920479ca10a8619cd40d582820bc4a023415ae5c080988d793
  
Dropped by
MD5 b65109ccd79cbafbb2813cf1ec0c5cd4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsOLE32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetSystemDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.DLL::GetUserNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegOpenKeyA
ADVAPI32.DLL::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments