MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 9

Intelligence 9 IOCs YARA 14 File information Comments

SHA256 hash:	12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
SHA3-384 hash:	327acbc70f710726152880e53819ff55140e19887b3b092361ce915d8f5cd65f6b2f5b750461c28b1614999b87c78e56
SHA1 hash:	f6ca169da771ab61d86ab43a3a3f76e9442944a2
MD5 hash:	68836f4363edf6dcf0203db3dcf5a6b2
humanhash:	robin-oranges-skylark-winter
File name:	SecuriteInfo.com.Variant.Ulise.188141.29924.19379
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	6'150'144 bytes
First seen:	2021-03-16 17:45:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c9265d4610349b7ef3c0d24d29857cc3 (1 x DanaBot)
ssdeep	98304:DGafthQ+CdjZv8VS7GGbWokX01iW3IfbZ/tbuUPQeaTNe6fRBmG0ZCHaLW7d7cj:yqqH8qSourW3IfBtHPQtTXBmdZCHGWZ
Threatray	23 similar samples on MalwareBazaar
TLSH	F5563381F0DAC3B7FB4187B24961C5234E747A6A427B8BDBB771776998722E00B19343
Reporter	SecuriteInfoCom
Tags:	DanaBot

Intelligence

File Origin

# of uploads :

# of downloads :

319

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Ulise.188141.29924.19379

Verdict:

Suspicious activity

Analysis date:

2021-03-16 17:51:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c9f57239-9f36-4832-a02a-9374cab4277c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/124349/

Detection(s):

SecuriteInfo.com.Variant.Ulise.188141.29924.19379.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file

Launching a process

Creating a process with a hidden window

Modifying an executable file

Changing a file

Creating a file in the %temp% directory

Sending a custom TCP request

Reading critical registry keys

Forced system process termination

Deleting a recently created file

Infecting executable files

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9342d0ee-a7cf-4377-8ad4-fa128c33ee11

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/641115

Signature

Antivirus / Scanner detection for submitted sample

Bypasses PowerShell execution policy

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-03-16 17:46:06 UTC

AV detection:

16 of 47 (34.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ckvhqhn3edpsf3l5ec4uudbq3e77isuhltxhyaum3th2h2vz4v6q._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210316-5sdclbrv22/

Unpacked files

SH256 hash:

e75c5483e1e50490c11ddc4fdbede08d3fe39671bdbb81866da183fdfc5bd621

MD5 hash:

6ed0c2130737df65639ecc34e63ac2bb

SHA1 hash:

54d631103b5a7ca7e4433750894409f888b3037c

Link:

https://www.unpac.me/results/aa8bb4ec-3c97-4900-9cad-bdf26dea606b/

SH256 hash:

7b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369

MD5 hash:

d8751ef19dddbbcff76b692d24863327

SHA1 hash:

db9e819a4c3752b78c6a3f1ba4c1425d8461c24f

Link:

https://www.unpac.me/results/aa8bb4ec-3c97-4900-9cad-bdf26dea606b/

SH256 hash:

fcc956e53fbeb650840c6f4bdfabe9b914afecd279e4f586bedc0aa29c1a0b1f

MD5 hash:

2a066fb34e6ed03b073f0963b84a2de2

SHA1 hash:

e97284839feb2d590520c8011af08373b2c9eae1

Link:

https://www.unpac.me/results/aa8bb4ec-3c97-4900-9cad-bdf26dea606b/

SH256 hash:

12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d

MD5 hash:

68836f4363edf6dcf0203db3dcf5a6b2

SHA1 hash:

f6ca169da771ab61d86ab43a3a3f76e9442944a2

Link:

https://www.unpac.me/results/aa8bb4ec-3c97-4900-9cad-bdf26dea606b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	hunt_skyproj_backdoor Create hunting rule
Author:	SBousseaden
Reference:	https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor Create hunting rule
Author:	ditekSHen
Description:	Detects PowerShell content designed to retrieve passwords from host

Rule name:	INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword Create hunting rule
Author:	ditekSHen
Description:	Detects PowerShell content designed to retrieve passwords from host

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_DanaBot Create hunting rule
Author:	ditekSHen
Description:	Detects DanaBot variants

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com