MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4db07d251192c1ca332a5e38c759132aff1c6671aca84b2671a1084d4adf5a97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4db07d251192c1ca332a5e38c759132aff1c6671aca84b2671a1084d4adf5a97
SHA3-384 hash: de826cb2590545d1ea37a79fff11cfb3d5875ab336ac1cb3fafe7f4c722496bcb34a6467919330c7c4056078c1532e20
SHA1 hash: 61da047f4ccc2b1e30fba419e50e159250f59481
MD5 hash: 9071fbda7b236b5c9a9d863ee4bfacbd
humanhash: crazy-table-nitrogen-sodium
File name:file
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'101'312 bytes
First seen:2022-12-28 01:03:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9e79b553eadc083e1e9afe1573a5d2f (9 x Smoke Loader, 5 x RedLineStealer, 1 x DanaBot)
ssdeep 24576:MsyEoZhLmy2wdu43xCmGqLLh5PNHr33Xgqd2:/yfZhL/YyCmGqLLlrQA
Threatray 63 similar samples on MalwareBazaar
TLSH T1F935232066E1D6E1E625063D7C74D7D80F2BBC5B6EE0D1D62608361F2EF7488B95232B
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon fcfc949494949cc0 (14 x RedLineStealer, 13 x Smoke Loader, 3 x CoinMiner)
Reporter jstrosch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-28 01:06:13 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/cff24da1-f082-4b1c-8522-88ff9de9b359

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Searching for the window
Сreating synchronization primitives
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63ab96070e926711fd751c20/reports/98f961c7-827a-42de-ab1d-b7d2b7d7a040/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a22bc47-9dbc-4e21-95be-3e81ef4cd523
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1141845
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4db07d251192c1ca332a5e38c759132aff1c6671aca84b2671a1084d4adf5a97/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-12-28 01:04:14 UTC
File Type:
PE (Exe)
Extracted files:
80
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwyh2jirsla4umzkly4mowitfl7ryztrvsuewjtrueee2sw7lklq._file
Verdict:
malicious
Similar samples:
025208b3d2dc191ade69d312f02ae794a9a1b03952e959d7031460aa0100d23c
DanaBot
29c8f4e86f33285254e07c7f513c4155a65bfb2c6e308e39b0d90f50fec40797
DanaBot
3f90b1365a96b6f621ee3010f110da568909bedaa96e735dc6ce211e1176f91a
DanaBot
48c4ac00c8bea03f17cea62ec021dcd3ddd50db8bb9c85ee0ffba68b970daf63
DanaBot
66444da71bdd7570977fc01f714dfebca04b9d0859af9eb178308f9d1fa31f98
DanaBot
6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a
DanaBot
8310bdd07ed7c0d8a6dba680454829fba782bcf66042940f8275a0b02ca13415
DanaBot
a2322e86cae01329ae93947d554093b7254ef38f9febf4ac62efeefa8c2dc76d
DanaBot
b58d6ca8e7f73937790a1e4e2ef29835d3190e672f4225d06f3fcfc3c70035ad
DanaBot
ed0e71d2830dca4a177ca15f4201d3a7ce24e1c895bc1bc1473384798c0626df
DanaBot
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/221228-beyn4scb4y/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Sets DLL path for service in the registry
Sets service image path in registry
Unpacked files
SH256 hash:
2a2322636c56b3e42b4d44f423d185069563eb86ecf7d09788c63497dd33878c
MD5 hash:
7ae5a9833a18a2a50beb1a08b9efc8ac
SHA1 hash:
75e63b630331a37ba41c65db8e777cce9145d049
Link:
https://www.unpac.me/results/08f4d0f7-876b-4671-b069-81ba580df2bf/
SH256 hash:
4d10e8d9cd1b860d8f5bbae0befd82adf9faddd6914ae623e26600b095ab336e
MD5 hash:
26ec511b91e07abc8d96152826250dd9
SHA1 hash:
712471a997217adf70ddabe3fbb7f34effbc41c3
Link:
https://www.unpac.me/results/08f4d0f7-876b-4671-b069-81ba580df2bf/
SH256 hash:
4db07d251192c1ca332a5e38c759132aff1c6671aca84b2671a1084d4adf5a97
MD5 hash:
9071fbda7b236b5c9a9d863ee4bfacbd
SHA1 hash:
61da047f4ccc2b1e30fba419e50e159250f59481
Link:
https://www.unpac.me/results/08f4d0f7-876b-4671-b069-81ba580df2bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4db07d251192c1ca332a5e38c759132aff1c6671aca84b2671a1084d4adf5a97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 4db07d251192c1ca332a5e38c759132aff1c6671aca84b2671a1084d4adf5a97

(this sample)

  
Delivery method
Distributed via web download

Comments