MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
SHA3-384 hash: 1cd87fee5d91e6348f081990eb1796f9f8095e98f06204b2c261fe55d2a1f399e806791772e50b67dc620ba38201cd06
SHA1 hash: ac978c8847c475119cba15d54171120f3e331dfa
MD5 hash: dd9533ced5b0e6c0db784b7652348b58
humanhash: idaho-december-two-echo
File name:dd9533ced5b0e6c0db784b7652348b58.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:7'003'648 bytes
First seen:2022-12-31 16:22:24 UTC
Last seen:2022-12-31 17:29:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b77f5f95921581f0c07e376a05ea1569 (1 x DanaBot)
ssdeep 196608:rMGq5vs+qcQXrwxlYBJU8z4aV9SUg93/:rMGq5kZcjxlYX4ESUg93
Threatray 1'497 similar samples on MalwareBazaar
TLSH T17F6633706991A1A0E53549318D0A2BF4503BFD325CB37F12F3A4290B9E7B34E69E857E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9ecedecee6eeee (52 x Smoke Loader, 19 x RedLineStealer, 14 x Amadey)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dd9533ced5b0e6c0db784b7652348b58.exe
Verdict:
Malicious activity
Analysis date:
2022-12-31 16:23:28 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/eff20e02-c50f-4a0b-8089-7de5db3c9e21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.52.20646.1326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Changing a file
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63b061ea40e878e3042192f5/reports/cb0d7aaf-63e1-4bce-8dab-29d59d7fed06/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b39cac3-6c44-4782-8e43-b257564af7c6
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143600
Signature
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 776330 Sample: 4ICuD7jDWy.exe Startdate: 31/12/2022 Architecture: WINDOWS Score: 100 61 clients2.google.com 2->61 63 clients.l.google.com 2->63 65 accounts.google.com 2->65 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected UAC Bypass using CMSTP 2->85 87 3 other signatures 2->87 10 4ICuD7jDWy.exe 5 2->10         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\Otfhfhweptay.tmp, DOS 10->57 dropped 59 C:\Users\user\AppData\...\Otfhfhweptay.exe, PE32 10->59 dropped 13 rundll32.exe 8 24 10->13         started        17 Otfhfhweptay.exe 10->17         started        19 WerFault.exe 16 10->19         started        22 6 other processes 10->22 process6 dnsIp7 75 66.85.173.3, 443, 56320 SSASN2US United States 13->75 77 4.84.232.35, 443, 56323 LEVEL3US United States 13->77 79 5 other IPs or domains 13->79 89 System process connects to network (likely due to code injection or exploit) 13->89 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->91 93 Tries to steal Instant Messenger accounts or passwords 13->93 99 3 other signatures 13->99 24 schtasks.exe 13->24         started        26 schtasks.exe 13->26         started        28 rundll32.exe 13->28         started        95 Multi AV Scanner detection for dropped file 17->95 97 Machine Learning detection for dropped file 17->97 30 notepad.exe 17->30         started        33 WerFault.exe 17->33         started        47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->47 dropped 49 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->49 dropped 51 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->51 dropped 53 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->53 dropped 55 3 other malicious files 22->55 dropped file8 signatures9 process10 signatures11 35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        101 Hides threads from debuggers 30->101 39 chrome.exe 30->39         started        process12 dnsIp13 67 192.168.11.1 unknown unknown 39->67 69 239.255.255.250, 1900 unknown Reserved 39->69 42 chrome.exe 39->42         started        45 WerFault.exe 39->45         started        process14 dnsIp15 71 accounts.google.com 142.250.186.45, 443, 56926 GOOGLEUS United States 42->71 73 clients.l.google.com 172.217.18.14, 443, 58893 GOOGLEUS United States 42->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 12:23:58 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khd7hy3dpx7apnvvdrdji6jguk3litomqhd5n54dzffut4vreejq._file
Verdict:
malicious
Similar samples:
1f984f06dd4dba858766fd2e8d81877e9738f8b9dc6706ce69b7b6e596c466d6
DanaBot
3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f
DanaBot
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
DanaBot
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
DanaBot
728ebb1ea9bfd9b3c3e6d904a85c10c309d2609defce00f10a4866b7a16116d1
DanaBot
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
DanaBot
8f6df7df63e769169784c8909e9138c0aa632cc23a24ecb61496fa152230ae07
DanaBot
b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
DanaBot
c3830943b84d673605e51fa61c410f0ad90a9cc0e2eb0add0609bbb11d2ce16b
DanaBot
+ 1'487 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221231-tvsrxahh78/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Gathering data
Unpacked files
SH256 hash:
fc180d57b1325d37d55177cc3c001f4ce37afe840436cf04d90d5dac232b52cb
MD5 hash:
e2631f92d83e6961f959767726372767
SHA1 hash:
5d8900b7d493f067ad0027c10b29ac468784c481
Link:
https://www.unpac.me/results/ef8a3777-2dff-4a06-9c63-7e96df576a3b/
SH256 hash:
a0ec4aad9281bd056de9b24d97ca29ce2ae9fdf41cb73e14bc2cd37c85ba7a2b
MD5 hash:
05313858681c62bd3e9a07736b83b481
SHA1 hash:
d052740d5c6a328b79538802380382f01df114e8
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/ef8a3777-2dff-4a06-9c63-7e96df576a3b/
Parent samples :
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
SH256 hash:
366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
MD5 hash:
ff6a5732355485b459248f586c2b6945
SHA1 hash:
07da3f03ef18e2eaddfceb050b68e93fd533f7a3
Link:
https://www.unpac.me/results/ef8a3777-2dff-4a06-9c63-7e96df576a3b/
SH256 hash:
61cd01c9b49f419fc7735413f0bc75ce9f49472517d11a272d2de5a746d866ec
MD5 hash:
4be03ece98dae87458118dcac2d98528
SHA1 hash:
08c65c05c85ef3c0781e24a8aebe26e1426b2ac0
Link:
https://www.unpac.me/results/ef8a3777-2dff-4a06-9c63-7e96df576a3b/
SH256 hash:
dc5950e013b7ac024fb949f008bb6bcb8a9293d92246367c4b019e214fd14112
MD5 hash:
c484448eabefbd34b7571a6c8fb036eb
SHA1 hash:
5ea1c54b1c361347ed0d62def7bd38b76b9f4b1a
Link:
https://www.unpac.me/results/ef8a3777-2dff-4a06-9c63-7e96df576a3b/
SH256 hash:
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
MD5 hash:
dd9533ced5b0e6c0db784b7652348b58
SHA1 hash:
ac978c8847c475119cba15d54171120f3e331dfa
Link:
https://www.unpac.me/results/ef8a3777-2dff-4a06-9c63-7e96df576a3b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51c7f3e3637d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2492427/
  
Delivery method
Distributed via web download

Comments