MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
SHA3-384 hash: adfce39167566fb496e1e0166a87d63aa1391c7c960e54c26e31109fb502651fa4f86130ca5106270cc31b2f03593e2e
SHA1 hash: a7267ad7f9af0e0e01b68af5a490992b254d8b37
MD5 hash: b72aecd7f4a7c92d20e50edd10c1238d
humanhash: nebraska-whiskey-table-carpet
File name:b72aecd7f4a7c92d20e50edd10c1238d.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'995'456 bytes
First seen:2022-12-31 10:34:50 UTC
Last seen:2022-12-31 12:41:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6284c4b90a3896aeed21c8fb6f2d08e3 (1 x DanaBot)
ssdeep 196608:I7NHFqT3j2VNVeUhB/+T95slc/qYGCm+8Idxrv:I7x4T3jIW5sKfxmtIPr
Threatray 1'494 similar samples on MalwareBazaar
TLSH T1E46633053790C6A1E4474976F08EE3E2789EE864CF96F6172424F77A1BF24F20D26366
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9ecedecee6eeee (52 x Smoke Loader, 19 x RedLineStealer, 14 x Amadey)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b72aecd7f4a7c92d20e50edd10c1238d.exe
Verdict:
Malicious activity
Analysis date:
2022-12-31 10:36:46 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/1d12cf00-69f2-4d6f-bd4e-5c9ed65703f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.53.32695.15971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Changing a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Searching for many windows
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63b0105c40e878e3042186ff/reports/f7c292a8-5ccc-4693-965d-9de86a3bee3e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef7ce1f7-1f95-4144-8828-65b1743e6dcf
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143498
Signature
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 776228 Sample: K0XDClG0A2.exe Startdate: 31/12/2022 Architecture: WINDOWS Score: 100 51 clients2.google.com 2->51 53 clients.l.google.com 2->53 55 accounts.google.com 2->55 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected UAC Bypass using CMSTP 2->75 77 3 other signatures 2->77 10 K0XDClG0A2.exe 5 2->10         started        signatures3 process4 file5 47 C:\Users\user\AppData\...\Otfhfhweptay.tmp, DOS 10->47 dropped 49 C:\Users\user\AppData\...\Otfhfhweptay.exe, PE32 10->49 dropped 13 rundll32.exe 8 24 10->13         started        17 Otfhfhweptay.exe 10->17         started        19 WerFault.exe 10->19         started        process6 dnsIp7 65 66.85.173.3, 443, 65129 SSASN2US United States 13->65 67 104.168.149.16, 443, 65131 HOSTWINDSUS United States 13->67 69 4 other IPs or domains 13->69 81 System process connects to network (likely due to code injection or exploit) 13->81 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->83 85 Tries to steal Instant Messenger accounts or passwords 13->85 91 3 other signatures 13->91 22 schtasks.exe 13->22         started        24 schtasks.exe 13->24         started        26 rundll32.exe 13->26         started        87 Multi AV Scanner detection for dropped file 17->87 89 Machine Learning detection for dropped file 17->89 28 notepad.exe 17->28         started        31 WerFault.exe 21 16 17->31         started        45 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->45 dropped file8 signatures9 process10 signatures11 33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        79 Hides threads from debuggers 28->79 37 chrome.exe 7 3 28->37         started        process12 dnsIp13 57 192.168.11.1 unknown unknown 37->57 59 239.255.255.250, 1900 unknown Reserved 37->59 40 chrome.exe 37->40         started        43 WerFault.exe 16 37->43         started        process14 dnsIp15 61 clients.l.google.com 142.250.186.110, 443, 55550 GOOGLEUS United States 40->61 63 accounts.google.com 142.250.186.77, 443, 57597 GOOGLEUS United States 40->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 10:29:30 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
18 of 40 (45.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2jiox62sjgjoncwsiejmrfioga6ursadwbesy47gdx7ffynj5cq._file
Verdict:
malicious
Similar samples:
0f295d377540773127f73cf21c555c0358b8e28d8e74307535dd41839bf78f2b
DanaBot
1f984f06dd4dba858766fd2e8d81877e9738f8b9dc6706ce69b7b6e596c466d6
DanaBot
728ebb1ea9bfd9b3c3e6d904a85c10c309d2609defce00f10a4866b7a16116d1
DanaBot
804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
DanaBot
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
DanaBot
8f6df7df63e769169784c8909e9138c0aa632cc23a24ecb61496fa152230ae07
DanaBot
b23e219ee4998ff38b9d571f5a4ff3bf7702d509bce4c910708b3d78956367c1
DanaBot
b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
DanaBot
c3830943b84d673605e51fa61c410f0ad90a9cc0e2eb0add0609bbb11d2ce16b
DanaBot
+ 1'484 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/221231-mmn1escg2y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/621a77eb-b152-4f4b-999f-79caa8a152c4
Unpacked files
SH256 hash:
fc180d57b1325d37d55177cc3c001f4ce37afe840436cf04d90d5dac232b52cb
MD5 hash:
e2631f92d83e6961f959767726372767
SHA1 hash:
5d8900b7d493f067ad0027c10b29ac468784c481
Link:
https://www.unpac.me/results/ed3dacac-ba34-4e15-91eb-163d7f182f5a/
SH256 hash:
a0ec4aad9281bd056de9b24d97ca29ce2ae9fdf41cb73e14bc2cd37c85ba7a2b
MD5 hash:
05313858681c62bd3e9a07736b83b481
SHA1 hash:
d052740d5c6a328b79538802380382f01df114e8
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/ed3dacac-ba34-4e15-91eb-163d7f182f5a/
Parent samples :
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
SH256 hash:
366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
MD5 hash:
ff6a5732355485b459248f586c2b6945
SHA1 hash:
07da3f03ef18e2eaddfceb050b68e93fd533f7a3
Link:
https://www.unpac.me/results/ed3dacac-ba34-4e15-91eb-163d7f182f5a/
SH256 hash:
61cd01c9b49f419fc7735413f0bc75ce9f49472517d11a272d2de5a746d866ec
MD5 hash:
4be03ece98dae87458118dcac2d98528
SHA1 hash:
08c65c05c85ef3c0781e24a8aebe26e1426b2ac0
Link:
https://www.unpac.me/results/ed3dacac-ba34-4e15-91eb-163d7f182f5a/
SH256 hash:
b08f788107999bf0255a9e93eee3b984ae10ba07af35a55bb8eb4f66183751a2
MD5 hash:
d4b800721231575be94d3541e2401dda
SHA1 hash:
f13e204cae8dfda401b409ab6e1ec79e269fbc69
Link:
https://www.unpac.me/results/ed3dacac-ba34-4e15-91eb-163d7f182f5a/
SH256 hash:
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
MD5 hash:
b72aecd7f4a7c92d20e50edd10c1238d
SHA1 hash:
a7267ad7f9af0e0e01b68af5a490992b254d8b37
Link:
https://www.unpac.me/results/ed3dacac-ba34-4e15-91eb-163d7f182f5a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e92875fda92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments