MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4
SHA3-384 hash: 365682370e4c29d58ecd4bd771a7e8b5021c193eebef9f8ecf4b2c4bf1d9aaea94a2672e7255d6d5b9b6fbb0572e1e5e
SHA1 hash: 1c83bfb5faeab3104cc75d91beebceadb9b8e420
MD5 hash: ba59bc12d400c6a35039bc637a93a8db
humanhash: mexico-foxtrot-twelve-winner
File name:ba59bc12d400c6a35039bc637a93a8db.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'146'880 bytes
First seen:2021-06-16 10:12:40 UTC
Last seen:2021-06-16 10:56:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ab857f73c9912dee0698f559b75c172 (8 x RedLineStealer, 1 x Glupteba, 1 x FickerStealer)
ssdeep 24576:K6wotp9kjtmC+JH7TcjXfqbequM8MuoN3HfnLL3UBay:Raj+BTuPqbeqDXfLLEBay
Threatray 2'012 similar samples on MalwareBazaar
TLSH 19350200EAB0D034F4F626F469B6937EB82979F1A76890CB23D526FA47785D4AC71703
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ba59bc12d400c6a35039bc637a93a8db.exe
Verdict:
Malicious activity
Analysis date:
2021-06-16 10:16:20 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/a9287e42-26eb-474e-9daf-c6ff0268d801

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46495416.25877.1379.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/058ca011-4410-4965-910e-9bf1ca4b37f4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/802941
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435352 Sample: K0lldatWsw.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 96 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 9 K0lldatWsw.exe 1 2->9         started        process3 file4 29 C:\Users\user\Desktop\K0LLDA~1.EXE.tmp, PE32 9->29 dropped 53 Detected unpacking (changes PE section rights) 9->53 55 Detected unpacking (overwrites its own PE header) 9->55 13 rundll32.exe 6 9->13         started        signatures5 process6 dnsIp7 39 66.85.185.120, 443, 49746, 49769 SSASN2US United States 13->39 31 C:\Users\user\Desktop\K0lldatWsw.exe, data 13->31 dropped 33 C:\ProgramData\lauvhfdchyoek\jhakldcgpv.tmp, PE32 13->33 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->57 59 Bypasses PowerShell execution policy 13->59 18 rundll32.exe 10 21 13->18         started        file8 signatures9 process10 dnsIp11 35 127.0.0.1 unknown unknown 18->35 37 192.168.2.1 unknown unknown 18->37 27 C:\Users\user\AppData\...\tmpB4EF.tmp.ps1, ASCII 18->27 dropped 45 System process connects to network (likely due to code injection or exploit) 18->45 47 Tries to harvest and steal browser information (history, passwords, etc) 18->47 49 Sets a proxy for the internet explorer 18->49 51 Enables a proxy for the internet explorer 18->51 23 powershell.exe 17 18->23         started        file12 signatures13 process14 process15 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 18:10:56 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3slxy55ylplgfblsuqjjvv5hozh5ybbpv5jw422btblxx3l3g2a._file
Verdict:
malicious
Similar samples:
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
DanaBot
2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac
DanaBot
37ad471d4b3ea1644bb111bacdf6306189214c900ee8882c3b85cab7d5a67351
DanaBot
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
DanaBot
43fd44a53e16097ae8b813e48be98cddfce369cd515efa1383fd0ea0b5a4c0bc
DanaBot
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
DanaBot
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
DanaBot
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
DanaBot
d81e62102d9b748aaabf4f06bf0c09a66dfaaac7836374016a5f076b6f7ed418
DanaBot
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
DanaBot
+ 2'002 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210616-zxy44ff7hn/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
88f04aa2f635a6ef12b132b17f91fcdd6f01f1ae6683fd0db91d94376e619bdb
MD5 hash:
3a27b7fb5d0ba4369415cacfe442c400
SHA1 hash:
511c963f06f0e2d39bbd02c453345d54d188aa26
Link:
https://www.unpac.me/results/d1f78de5-29cb-4b96-b670-9341207cabd2/
SH256 hash:
715d5e73505b22bc9a1e8f13816b6505df292918f2a1dc2ab9a2fbb649b50855
MD5 hash:
e45ae6a8a4f37dd25270bc41ba76d5bc
SHA1 hash:
257d7f210614017a99359d473fe8c7b06a7c2161
Link:
https://www.unpac.me/results/d1f78de5-29cb-4b96-b670-9341207cabd2/
SH256 hash:
26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4
MD5 hash:
ba59bc12d400c6a35039bc637a93a8db
SHA1 hash:
1c83bfb5faeab3104cc75d91beebceadb9b8e420
Link:
https://www.unpac.me/results/d1f78de5-29cb-4b96-b670-9341207cabd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1338483/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1271412/

Comments