MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 17

Intelligence 17 IOCs 4 YARA 9 File information Comments

SHA256 hash:	4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183
SHA3-384 hash:	ff71adbde33d509031141c124880ed3324d5e648eccc56869e6132f2d14639faeaaeace93a7456e7e2cb4f1e4e475a13
SHA1 hash:	e864b2d11a7c9c7497b22af930b31db1e2061244
MD5 hash:	43ec2649e1b173b6e8b3800e18cceeb4
humanhash:	hawaii-timing-west-arkansas
File name:	gfehgfwveg.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	4'276'224 bytes
First seen:	2024-12-24 19:47:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	29e05b1fea10173c5bcc5ba6150988ec (5 x DanaBot)
ssdeep	98304:nNLjlVuxN0obg4MLp6bsYOYQyLmZwPoyAkDnZ:n5lVuxNvglisVyLZPJDnZ
TLSH	T19F16F122F64C667ED4AF0E395877B594583F77A1B99ADC1B47E0098CCE35880363A24F
TrID	58.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 14.7% (.EXE) Win64 Executable (generic) (10522/11/4) 9.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	SquiblydooBlog
Tags:	DanaBot exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
34.34.145.103:443	https://threatfox.abuse.ch/ioc/1359520/
34.83.67.185:443	https://threatfox.abuse.ch/ioc/1359521/
34.169.99.17:443	https://threatfox.abuse.ch/ioc/1359522/
35.195.45.98:443	https://threatfox.abuse.ch/ioc/1359523/

Intelligence

File Origin

# of uploads :

# of downloads :

589

Origin country :

Vendor Threat Intelligence

Malware family:

danabot

ID:

File name:

gfehgfwveg.exe

Verdict:

Malicious activity

Analysis date:

2024-12-24 19:48:29 UTC

Tags:

danabot stealer danabot-unpacked

Link:

https://app.any.run/tasks/b0ef34d8-a5d9-4cb5-942e-cf7c015c23df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Barys.390454.16057.508.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=676b0ff475bf3268d2fe4783

Tags:

danabot emotet

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Сreating synchronization primitives

Running batch commands

Launching a process

Creating a window

Connection attempt

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd embarcadero_delphi fingerprint lolbin packed packed packer_detected wmic

Link:

https://www.filescan.io/uploads/676b0ff5dfd3fc9d65a01575/reports/033ef996-81b3-4ca4-89ed-25a0ade4e769/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/524a5b84-54b7-4fc2-96c1-df33e6120414

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1580519

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183/

Threat name:

Win32.Trojan.Danabot

Status:

Malicious

First seen:

2024-12-24 19:48:06 UTC

File Type:

PE (Exe)

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2ig5caogxslydph5e3v7qh6wv2xg5gkbo3crx7wgzqxiu3nmgbq._file

Verdict:

malicious

Label(s):

danabot

Similar samples:

error

DanaBot

Result

Malware family:

n/a

Score:

8/10

Tags:

collection credential_access discovery spyware stealer

Link:

https://tria.ge/reports/241224-yh35bsvqgx/

Behaviour

Checks processor information in registry

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Enumerates connected drives

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Uses browser remote debugging

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b9d78593-1232-4b21-bcb2-0c0bf90071e5

Unpacked files

SH256 hash:

eae7d6c05fb4646c1bdad34eae9d7abd989867335abfec3d221b12007ee581b2

MD5 hash:

e73f2cbc4c1b7cac9faf870bedee0d7f

SHA1 hash:

4b694292e28c49b2e555e51f4172381a2d80492c

Detections:

Danabot

DanaBot

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_GENInfoStealer

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Link:

https://www.unpac.me/results/5c537721-5c7e-455e-bb76-2efa9dc9d963/

SH256 hash:

4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183

MD5 hash:

43ec2649e1b173b6e8b3800e18cceeb4

SHA1 hash:

e864b2d11a7c9c7497b22af930b31db1e2061244

Link:

https://www.unpac.me/results/5c537721-5c7e-455e-bb76-2efa9dc9d963/

Malware family:

CryptBot.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4e906e880e35/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_d7e5ec2d Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
MULTIMEDIA_API	Can Play Multimedia	winmm.dll::waveOutGetVolume
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileMappingW kernel32.dll::CreateFileW kernel32.dll::GetFileAttributesW kernel32.dll::FindFirstFileW version.dll::GetFileVersionInfoSizeW
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::QueryDosDeviceW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample