MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7
SHA3-384 hash: 88ab3a70a15263aa79996f43fb29c197efcdb74f41cb464a701058c9abcbb098b406be44787724787cb5e834cf7d912a
SHA1 hash: a234b171340ca47f2a2fba0705911c61416e8985
MD5 hash: 5b64b4c975ff001a2d99bf9b65b4b8bb
humanhash: equal-venus-jig-lake
File name:5b64b4c975ff001a2d99bf9b65b4b8bb
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'053'696 bytes
First seen:2022-04-16 03:17:10 UTC
Last seen:2022-04-20 10:23:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 324598d8e157ef332c75a6946f19434c (5 x DanaBot, 1 x Smoke Loader)
ssdeep 24576:vbahsA6iHbGRj+x7UkpFU/UzPkgSSML3xitJwDSmAESmB:OhsTibGRjM7UkpFRMxqwM
Threatray 10'921 similar samples on MalwareBazaar
TLSH T1172512F27290C937D1655E30547A9FF1892FA83398218547F6912F8E7E722805BB2B1F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 480c1c4c4f594904 (9 x Smoke Loader, 7 x RedLineStealer, 6 x Amadey)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
720
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5b64b4c975ff001a2d99bf9b65b4b8bb
Verdict:
Suspicious activity
Analysis date:
2022-04-16 03:18:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea1493b8-d692-4b25-a22b-15c7c619ddb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264048/
Detection(s):
Win.Dropper.Stop-9938042-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13999/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lockbit packed upatre
Link:
https://www.filescan.io/uploads/625a356ceab80a7a6c21e8d9/reports/de0ab688-4681-4354-b462-ec7bf7f6d72d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/977586
Signature
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610073 Sample: h8e83cKnjf.exe Startdate: 16/04/2022 Architecture: WINDOWS Score: 96 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected DanaBot stealer dll 2->62 64 Machine Learning detection for sample 2->64 66 2 other signatures 2->66 8 h8e83cKnjf.exe 3 2->8         started        process3 signatures4 68 Overwrites code with function prologues 8->68 11 rundll32.exe 8->11         started        15 rundll32.exe 13 8->15         started        18 WerFault.exe 16 8->18         started        20 8 other processes 8->20 process5 dnsIp6 52 68.179.202.34, 443, 49824 WA-K20US United States 11->52 54 188.105.49.84, 443, 49817 VODANETInternationalIP-BackboneofVodafoneDE Germany 11->54 58 11 other IPs or domains 11->58 70 System process connects to network (likely due to code injection or exploit) 11->70 72 Tries to steal Instant Messenger accounts or passwords 11->72 74 Tries to harvest and steal browser information (history, passwords, etc) 11->74 22 schtasks.exe 11->22         started        24 schtasks.exe 11->24         started        26 schtasks.exe 11->26         started        28 2 other processes 11->28 56 23.254.129.180, 443, 49749, 49779 HOSTWINDSUS United States 15->56 40 C:\Users\user\AppData\Local\Temp\Faqqye.tmp, DOS 15->40 dropped 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 15->78 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->46 dropped 48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->48 dropped 50 5 other malicious files 20->50 dropped file7 signatures8 process9 process10 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 28->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2022-04-16 03:18:09 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
16 of 26 (61.54%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eziic7rhaoyvy7tpx5guzkwoebtpkdnyr7ewqyqzbrg26mwrq3tq._file
Verdict:
malicious
Similar samples:
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
DanaBot
343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50
DanaBot
3b9cd0cbd0216c7880e6edbf90c8c98d0800f7a562c3a845559b3375dfa09f8f
DanaBot
5cf233d7267a011a4e21064d530fc1b6e80f995b22cf86b29e773d13a463a628
DanaBot
70bee3fa2bf61c13b1e94ab33d6ac070ef107085c10abb28ccb92e5b6449deee
DanaBot
a0a944db45538f11089813fd89eeed36cdefa6204e52ba305251832ed0045860
DanaBot
a0bc490c4a5263a90e83476958a538d960a94437432c4561008a6c9bb4af2b17
DanaBot
b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94
DanaBot
c7a4fad10ef66516e492ab30d600be219ea259c4f0a42a3f664ae7b3cd94e2b7
DanaBot
dcedf234c0f9d6fe3a4392693c82708c70c8e243f42f2e7073d35bd928f3b526
DanaBot
+ 10'911 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220416-dtlzzagchk/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
7cf737ed10584c7302ad3f475f6e2345bdd710cbf5b339df2677d01bbd631018
MD5 hash:
da40be72b763e2410179e02a246b94ab
SHA1 hash:
17ad505b81d71cd12912ed96fe8686ea27c97c90
Link:
https://www.unpac.me/results/3ebf2023-172e-4262-8d4d-0f5232a8e4c8/
SH256 hash:
2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7
MD5 hash:
5b64b4c975ff001a2d99bf9b65b4b8bb
SHA1 hash:
a234b171340ca47f2a2fba0705911c61416e8985
Link:
https://www.unpac.me/results/3ebf2023-172e-4262-8d4d-0f5232a8e4c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2149925/
Cape
Cape
https://www.capesandbox.com/analysis/264048/

Comments


Avatar
zbet commented on 2022-04-16 03:17:12 UTC

url : hxxp://108.62.118.31/hostads.exe