MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aeca92ed74184da2c9450b3de78013045e0b0800c206899d97298765a03b788. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aeca92ed74184da2c9450b3de78013045e0b0800c206899d97298765a03b788
SHA3-384 hash: 9fa3993df2e1bbd9189454f0a2552c515e162433705d254df19c7927fdab0ff5135ccd04c01ed010ccbc35d23e93049b
SHA1 hash: dc373dc5ec1ae41d459a1b0603c20d272870ff86
MD5 hash: 87648d9648e27ce731e75a4997b2080a
humanhash: oven-social-fix-cat
File name:SecuriteInfo.com.W32.AIDetect.malware1.1169.24601
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'150'144 bytes
First seen:2021-03-28 10:37:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c802528c4ea71678b64f5b5234f7c184 (2 x DanaBot)
ssdeep 98304:3kCttN5UhmtGTRZMxVzJsaFzl9j/lpbm6vs2OfK5tJziGooJ2F7feg+APTL7q1B3:/3Shm8Z0VFJFzlTpbLvZ92ZoANJ+gS
Threatray 44 similar samples on MalwareBazaar
TLSH 69563301B1D0C1B3E1C748366C2464A51AE3B292DD28ACCF27D4FFAE46626D9D1FA357
Reporter SecuriteInfoCom
Tags:DanaBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.1169.24601
Verdict:
No threats detected
Analysis date:
2021-03-28 10:39:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0191296c-45c6-46b6-a99f-7adff0e41a3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127357/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.1169.24601.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Modifying an executable file
Creating a file in the %temp% directory
Changing a file
Sending a custom TCP request
Reading critical registry keys
Forced system process termination
Connection attempt
Deleting a recently created file
Infecting executable files
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbecd266-401c-4189-a39c-5b7df5c0bf1b
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656117
Signature
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376993 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 28/03/2021 Architecture: WINDOWS Score: 100 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 2 other signatures 2->59 9 SecuriteInfo.com.W32.AIDetect.malware1.1169.exe 1 2->9         started        process3 file4 45 C:\Users\user\Desktop\SECURI~1.EXE.dll, PE32 9->45 dropped 67 Detected unpacking (changes PE section rights) 9->67 69 Detected unpacking (overwrites its own PE header) 9->69 13 rundll32.exe 9->13         started        16 WerFault.exe 20 9 9->16         started        signatures5 process6 signatures7 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->71 73 Bypasses PowerShell execution policy 13->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 13->75 18 rundll32.exe 8 23 13->18         started        process8 dnsIp9 51 192.3.26.107, 443, 49718 AS-COLOCROSSINGUS United States 18->51 43 C:\Users\user\AppData\...\tmp8CE0.tmp.ps1, ASCII 18->43 dropped 61 System process connects to network (likely due to code injection or exploit) 18->61 63 Tries to harvest and steal browser information (history, passwords, etc) 18->63 23 powershell.exe 15 18->23         started        26 powershell.exe 17 18->26         started        28 schtasks.exe 18->28         started        30 schtasks.exe 18->30         started        file10 signatures11 process12 signatures13 65 Uses nslookup.exe to query domains 23->65 32 nslookup.exe 1 23->32         started        35 conhost.exe 23->35         started        37 conhost.exe 26->37         started        39 conhost.exe 28->39         started        41 conhost.exe 30->41         started        process14 dnsIp15 47 localhost 32->47 49 8.8.8.8.in-addr.arpa 32->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0aeca92ed74184da2c9450b3de78013045e0b0800c206899d97298765a03b788/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 10:38:08 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=blwkslwxigcnuleukcz546abgbc6bmeabqqgrgozokmhmwqdw6ea._file
Verdict:
malicious
Similar samples:
0bd3e2289f0899ce7978056ad9a96bc1f33e37bb219ecd19ccd0e64b993f6143
DanaBot
6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e
DanaBot
7662ab9b318424d7a2351788c64a08788f5c7e12ca960b199d737fd883fe7d40
DanaBot
89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2
DanaBot
a99d8d6dd7fb3c444c24f4c8ad2011d341d42a792d20ed306a39b7a2be017467
DanaBot
bae80042c1b61aa70ea8687213f90a6326de60f5999e5ecd8d4dd41c7361d16b
DanaBot
c304d726aa9e039a45cf9a6865b9a77d257bb688948fac76a476a0c28c200989
DanaBot
e1043b597d99a6553919b8e0d8e265aa6dd2f2004d63c57686d3e4dfca13505e
DanaBot
e3e6925c2542dfef5760150b07bc591324b8287fd829766ab1d938b5ed1ebecc
DanaBot
e65e644d9e4644fce4b66e7c85fb16c9be1533b73fd0bec78b6f048c6a21ad9b
DanaBot
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210328-2cassj4xle/
Unpacked files
SH256 hash:
b96c0185526f60f5e0631c4f73a99ef3b4367586a450749fbc900daea91f6c7e
MD5 hash:
e35744f9933b37413a01f0e1ed44e8dc
SHA1 hash:
103dcba09fff40713505a817776cec8e193ae151
Link:
https://www.unpac.me/results/99031b7a-dfe9-43e5-9c88-9ea9e1695829/
SH256 hash:
e2e79ea3ba2ad91155a5edc6adf2f3e07facdf7bf5d064b1d492282654f954c9
MD5 hash:
a02f4f4d482feae676db585a6b1826f1
SHA1 hash:
2286ff3ef0aa38bbd6b0de67d00150b6d17c2a9f
Link:
https://www.unpac.me/results/99031b7a-dfe9-43e5-9c88-9ea9e1695829/
SH256 hash:
8057bf65f8d332bea25d1802085eab4f12a7b2d826a8c7c4d97bd3e8d285e94e
MD5 hash:
4f3a4615d59d3b19163668584b4bd521
SHA1 hash:
7364d092bf2ac103b3b3d7c21883334866016cfd
Link:
https://www.unpac.me/results/99031b7a-dfe9-43e5-9c88-9ea9e1695829/
SH256 hash:
0aeca92ed74184da2c9450b3de78013045e0b0800c206899d97298765a03b788
MD5 hash:
87648d9648e27ce731e75a4997b2080a
SHA1 hash:
dc373dc5ec1ae41d459a1b0603c20d272870ff86
Link:
https://www.unpac.me/results/99031b7a-dfe9-43e5-9c88-9ea9e1695829/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0aeca92ed74184da2c9450b3de78013045e0b0800c206899d97298765a03b788

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 0aeca92ed74184da2c9450b3de78013045e0b0800c206899d97298765a03b788

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1096421/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127357/

Comments