MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36dbcbd2fd7ca9dce07e4fb345b4e2f08bc514a8ecd776a2212a3897e9e6ef55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36dbcbd2fd7ca9dce07e4fb345b4e2f08bc514a8ecd776a2212a3897e9e6ef55
SHA3-384 hash: ba6f1dd4ad958601d3eb15b12b32b8f5f09ac581836ae8d525cbb5aad41e015d89ed0510a0498bce77935f65d51cd6f7
SHA1 hash: 712d4e8b9a0eb6fa53ce554077880bdb479ddd87
MD5 hash: d002fd64bfdd7944bfedf5f0bad651bd
humanhash: ack-maine-butter-bakerloo
File name:d002fd64bfdd7944bfedf5f0bad651bd.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'145'856 bytes
First seen:2021-06-18 06:48:18 UTC
Last seen:2021-06-18 07:48:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b93f51dff18f665803be156c5e038b5 (1 x RedLineStealer, 1 x DanaBot)
ssdeep 24576:aozyr1VQiWBYgqYENf5dLyjvRt3R0FjVFf8755tNAxW:RiWBYcENfevb3R0Fjjfm5tNA
Threatray 2'037 similar samples on MalwareBazaar
TLSH F6351210FAA1C035F1FB21F415B99768AA2D3EB1577424CB22D51AEE9734AE0ED32707
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d002fd64bfdd7944bfedf5f0bad651bd.exe
Verdict:
Malicious activity
Analysis date:
2021-06-18 06:51:50 UTC
Tags:
trojan danabot stealer
Link:
https://app.any.run/tasks/f2517ad6-2276-4958-b600-ff03770c58bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166751/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37119257.30958.3575.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe4d8e0e-329f-412d-9f9d-0a147339452f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/804161
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436589 Sample: zIrRuc3bor.exe Startdate: 18/06/2021 Architecture: WINDOWS Score: 96 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 9 zIrRuc3bor.exe 1 2->9         started        process3 signatures4 49 Detected unpacking (changes PE section rights) 9->49 51 Detected unpacking (overwrites its own PE header) 9->51 12 rundll32.exe 6 9->12         started        process5 dnsIp6 35 66.85.185.120, 443, 49689, 49693 SSASN2US United States 12->35 31 C:\Users\user\Desktop\zIrRuc3bor.exe, data 12->31 dropped 33 C:\ProgramData\lauvhfdchyoek\jhakldcgpv.tmp, PE32 12->33 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->53 55 Bypasses PowerShell execution policy 12->55 17 rundll32.exe 10 23 12->17         started        file7 signatures8 process9 file10 29 C:\Users\user\AppData\...\tmp2F1E.tmp.ps1, ASCII 17->29 dropped 41 System process connects to network (likely due to code injection or exploit) 17->41 43 Tries to harvest and steal browser information (history, passwords, etc) 17->43 45 Sets a proxy for the internet explorer 17->45 47 Enables a proxy for the internet explorer 17->47 21 powershell.exe 17 17->21         started        23 powershell.exe 5 17->23         started        signatures11 process12 process13 25 conhost.exe 21->25         started        27 conhost.exe 23->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36dbcbd2fd7ca9dce07e4fb345b4e2f08bc514a8ecd776a2212a3897e9e6ef55/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 16:03:44 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3n4xux5psu5zyd6j6zulnhc6cf4kffi5tlxnirbfi4jp2pg55kq._file
Verdict:
malicious
Similar samples:
26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4
DanaBot
2f780fc849c91fb3552908c9047e69cb5016ef154e6ca87ca412d79079eae85c
DanaBot
31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0
DanaBot
4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55
DanaBot
5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec
DanaBot
b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f
DanaBot
cd59f70eea8a47b46a830960b6dec4113835b44364d404ee4cd1b750964233c2
DanaBot
eb2f15018cb74ad0c97044c7687df83445d45d6752104b0cbc9fad9ed22813be
DanaBot
f279bd873b230e7a9743fd03d89b9dcee87d8f29152e234c8478bd578807ec74
DanaBot
ffa75b8f967bd35526e421be427fd7b9009fc7faba064454ba99228381ccc1ff
DanaBot
+ 2'027 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210618-abl979l87e/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
1be3c07ea10ea68d76d1114da5c11315ea4cf2cb2b2b2e8856da920db29a7c82
MD5 hash:
2df1c7f999196f539ff7792b7668ab5e
SHA1 hash:
b87cbacbcc7d5e70deff142300240a9efd185ae4
Link:
https://www.unpac.me/results/50b03377-2690-4552-8c74-2ebc45de8d85/
SH256 hash:
ed566eafc9bed9dff3cad9a3c430f89c43bf08a8089a461efaf47deee2c7dbb7
MD5 hash:
2a43f5d1d2635eb1f4e6b9e5aabb2630
SHA1 hash:
11d8d99ab35f807c7737d918b6776d6f54ed85b2
Link:
https://www.unpac.me/results/50b03377-2690-4552-8c74-2ebc45de8d85/
SH256 hash:
36dbcbd2fd7ca9dce07e4fb345b4e2f08bc514a8ecd776a2212a3897e9e6ef55
MD5 hash:
d002fd64bfdd7944bfedf5f0bad651bd
SHA1 hash:
712d4e8b9a0eb6fa53ce554077880bdb479ddd87
Link:
https://www.unpac.me/results/50b03377-2690-4552-8c74-2ebc45de8d85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36dbcbd2fd7ca9dce07e4fb345b4e2f08bc514a8ecd776a2212a3897e9e6ef55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 36dbcbd2fd7ca9dce07e4fb345b4e2f08bc514a8ecd776a2212a3897e9e6ef55

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1338483/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/166751/

Comments