MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f
SHA3-384 hash: ad59ad69159cec38a43bf76693bc5b4f5badc3709b381e6ee8c2eaeae8b1c4d39aef4dfbee217fc2bdb7f47907b583e9
SHA1 hash: 03b22ecd2ee36a4e859115e386436e517629f1c5
MD5 hash: a7fbb126328fde8a264ecb9106468c30
humanhash: victor-cardinal-winner-grey
File name:a7fbb126328fde8a264ecb9106468c30
Download: download sample
Signature DanaBot
Create hunting rule
File size:7'003'136 bytes
First seen:2022-12-31 11:00:59 UTC
Last seen:2022-12-31 12:41:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a8a37b9dbba75dee024eac98b7bda623 (2 x DanaBot, 2 x RedLineStealer)
ssdeep 196608:V2JWNoAm1p9S91T3XwRoyXP5Dyeoc6V1AQr:V24o917CXwRJr36VmQ
Threatray 1'495 similar samples on MalwareBazaar
TLSH T1D3663335BCA8D439CE155576CB20D0EB074E7D326CB7121BF1653A1FAA3B2DA05E821E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9ecedecee6eee6 (44 x Smoke Loader, 18 x RedLineStealer, 13 x Tofsee)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7fbb126328fde8a264ecb9106468c30
Verdict:
Malicious activity
Analysis date:
2022-12-31 11:04:18 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/e887e8ee-8061-4abe-a54b-eb049effb7e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.52.25286.2324.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Changing a file
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware lockbit packed
Link:
https://www.filescan.io/uploads/63b016700e926711fd75fbb8/reports/dbb5a64e-825a-4631-9edf-c0551eea7bda/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfee2db2-676b-4dca-8f47-529ce47168b1
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143520
Signature
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 776250 Sample: o74gtZ1whC.exe Startdate: 31/12/2022 Architecture: WINDOWS Score: 100 61 clients2.google.com 2->61 63 clients.l.google.com 2->63 65 accounts.google.com 2->65 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected UAC Bypass using CMSTP 2->85 87 3 other signatures 2->87 10 o74gtZ1whC.exe 5 2->10         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\Otfhfhweptay.tmp, DOS 10->57 dropped 59 C:\Users\user\AppData\...\Otfhfhweptay.exe, PE32 10->59 dropped 13 rundll32.exe 10->13         started        17 Otfhfhweptay.exe 10->17         started        19 WerFault.exe 16 10->19         started        22 6 other processes 10->22 process6 dnsIp7 75 142.205.255.6, 443, 55624 TDBANKCA Canada 13->75 77 66.85.173.3, 443, 55606 SSASN2US United States 13->77 79 5 other IPs or domains 13->79 89 System process connects to network (likely due to code injection or exploit) 13->89 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->91 93 Tries to steal Instant Messenger accounts or passwords 13->93 99 3 other signatures 13->99 24 schtasks.exe 13->24         started        26 schtasks.exe 13->26         started        28 rundll32.exe 13->28         started        95 Multi AV Scanner detection for dropped file 17->95 97 Machine Learning detection for dropped file 17->97 30 notepad.exe 17->30         started        33 WerFault.exe 17->33         started        47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->47 dropped 49 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->49 dropped 51 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->51 dropped 53 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->53 dropped 55 3 other malicious files 22->55 dropped file8 signatures9 process10 signatures11 35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        101 Hides threads from debuggers 30->101 39 chrome.exe 30->39         started        process12 dnsIp13 67 192.168.11.1 unknown unknown 39->67 69 239.255.255.250, 1900 unknown Reserved 39->69 42 chrome.exe 39->42         started        45 WerFault.exe 39->45         started        process14 dnsIp15 71 clients.l.google.com 172.217.16.206, 443, 55587 GOOGLEUS United States 42->71 73 accounts.google.com 172.217.18.13, 443, 49932 GOOGLEUS United States 42->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 11:01:17 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlzhzysimgqdfz2dp2xttrmzgdevbxi2vozxdqpjyd7uxo6qvyhq._file
Verdict:
malicious
Similar samples:
1f984f06dd4dba858766fd2e8d81877e9738f8b9dc6706ce69b7b6e596c466d6
DanaBot
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
DanaBot
728ebb1ea9bfd9b3c3e6d904a85c10c309d2609defce00f10a4866b7a16116d1
DanaBot
804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
DanaBot
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
DanaBot
8f6df7df63e769169784c8909e9138c0aa632cc23a24ecb61496fa152230ae07
DanaBot
b23e219ee4998ff38b9d571f5a4ff3bf7702d509bce4c910708b3d78956367c1
DanaBot
b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
DanaBot
c3830943b84d673605e51fa61c410f0ad90a9cc0e2eb0add0609bbb11d2ce16b
DanaBot
+ 1'485 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221231-m4j3sscg4y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f3fb0bd-caae-4015-9fc0-182a681c7a30
Unpacked files
SH256 hash:
3eee07804b6d009f50415a12c1da67c92c52cec003f1b2c9cda0efe0a7212e01
MD5 hash:
3e53e6e72a16e13d3ea194325c7e5aba
SHA1 hash:
6e148a286d2afeedcda1ed943c581944ab69ab00
Link:
https://www.unpac.me/results/b24bca3a-18e6-4810-ba0f-ed281ca86086/
SH256 hash:
3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f
MD5 hash:
a7fbb126328fde8a264ecb9106468c30
SHA1 hash:
03b22ecd2ee36a4e859115e386436e517629f1c5
Link:
https://www.unpac.me/results/b24bca3a-18e6-4810-ba0f-ed281ca86086/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3af27ce24861/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2022-12-31 11:01:08 UTC

url : hxxp://194.135.33.239/politico.exe