MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 12

Intelligence 12 IOCs 2 YARA File information Comments

SHA256 hash:	30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6
SHA3-384 hash:	38753306205ccc33ab28e5f3f9ad3712acfd9e401e66060d1416d06747305fa6ad8c03e5eb15f6b7b362f819d6eaff41
SHA1 hash:	58013fcf021aa095cfc396661d84b3de51689495
MD5 hash:	02587aa16204407723ac2913491804c4
humanhash:	connecticut-fifteen-xray-shade
File name:	30D61C9063FE72A9A6A1519AD4A2C43DC7E88FAC46904.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	165'376 bytes
First seen:	2022-03-18 16:26:03 UTC
Last seen:	2022-03-18 17:57:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1a7ba06c87bade3693958d0e4d963b91 (1 x Socelars, 1 x GCleaner, 1 x DanaBot)
ssdeep	3072:iKKURfw6InxaqAf3qIpyEPAJABLeA1Zf+rDcJuvAy1dKP+Mo9MYo7:3KsXGxalfXpyx0HZf+oJuvAymND
Threatray	11'340 similar samples on MalwareBazaar
TLSH	T15BF37B197AD1E0B2D571153238E0DB71852DFD301B60996B37863B3E6F302E25E65B2B
File icon (PE):
dhash icon	92aae8c8e8f2b29a (3 x RedLineStealer, 2 x GCleaner, 2 x PrivateLoader)
Reporter	abuse_ch
Tags:	DanaBot exe

abuse_ch

DanaBot C2:
193.233.48.58:38989

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
193.233.48.58:38989	https://threatfox.abuse.ch/ioc/409201/
168.119.164.249:48788	https://threatfox.abuse.ch/ioc/409203/

Intelligence

File Origin

# of uploads :

# of downloads :

614

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/252705/

Detection(s):

SecuriteInfo.com.Variant.Zusy.412347.14973.26187.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/9728/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6234b2a4b94fb38cb4a49d17/reports/c7311bca-2e9c-45dc-9b42-29963157492f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Pioneer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/909b113d-b6d8-40bc-8e9c-cf915079042f

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/959718

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6/

Threat name:

Win32.Backdoor.Zapchast

Status:

Malicious

First seen:

2022-01-20 14:14:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 41 (70.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gdlbzedd7zzktjvbkgnnjiwehxd6rd5mi2ie433se75hrg7f3o3a._file

Verdict:

malicious

DanaBot

104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb

DanaBot

2a06da1f6bb8f01f932093ed9ae5f1ca2ff7b53b89dfd46a0102200cf3ebaead

DanaBot

2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527

DanaBot

3b4140faaa3828375888ca2ff1152fdf46529175ee49931ad8a20f52e0cdb058

DanaBot

415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8

DanaBot

83a0838ce422cf0354914df7efde5aeadb19cbc84ee315725de96237df2a36aa

DanaBot

b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9

DanaBot

de1ae614a8a926b44989594d2bd4615c14700e575662d7c4689789d6b228f79e

DanaBot

+ 11'330 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:djvu family:redline family:vidar botnet:1182 botnet:nam22 evasion infostealer ransomware spyware stealer trojan upx

Link:

https://tria.ge/reports/220318-txjxsabgh2/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Enumerates processes with tasklist

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Sets file to hidden

UPX packed file

Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

RedLine

RedLine Payload

Vidar

Malware Config

C2 Extraction:

103.133.111.182:44839
http://fuyt.org/test3/get.php
https://ieji.de/@sam7al
https://busshi.moe/@sam0al

Dropper Extraction:

http://62.204.41.71/Offer/Offer.oo
http://62.204.41.71/cs/RED.oo
http://62.204.41.71/cs/NON.oo
http://62.204.41.71/cs/NAN.oo

Unpacked files

SH256 hash:

30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6

MD5 hash:

02587aa16204407723ac2913491804c4

SHA1 hash:

58013fcf021aa095cfc396661d84b3de51689495

Link:

https://www.unpac.me/results/22817354-680d-4578-b327-573fff71688b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/30d61c9063fe72a9a6a1519ad4a2c43dc7e88fac46904e6f7227fa789be5dbb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252705/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample