MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff
SHA3-384 hash: deaa618521b7f9454a156a364b1b29e1b72f86bd18a52355d7247942aafbaf5833c1c74e6c1e84315287eb421f3ae1e0
SHA1 hash: 123e6c456c23769d7ca4fd3c628ec5dbb8bf1794
MD5 hash: 99a13c2b237deb6922cf6695bd9a82aa
humanhash: white-oranges-south-nitrogen
File name:99a13c2b237deb6922cf6695bd9a82aa
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'656'704 bytes
First seen:2023-05-10 06:29:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6847c4a23533c8db62ddf8eb8d214ba0 (2 x UACModuleSmokeLoader, 2 x Amadey, 1 x DanaBot)
ssdeep 49152:pu6ZVMAqGSmeuWqtJEj8tuyrnudsrdw6G/kB8fjxAV/xYnb7eWq+6nNEg7L1:ucPM8tuinPr58y8fVAVZYnb8+4L1
TLSH T1C706231362E57C10E61B4A719D1E85F8375DF6B18F6937AF32489B2F09F21A2C262F14
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0020c03094422100 (1 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
99a13c2b237deb6922cf6695bd9a82aa
Verdict:
Malicious activity
Analysis date:
2023-05-10 06:31:43 UTC
Tags:
danabot stealer
Link:
https://app.any.run/tasks/8a43e437-1cdd-405b-bdaf-e5d88d615785

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388026/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.3104.2065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/645b39ec03238d4c41f2273f/reports/9fd0a2b9-9c35-4749-b9dc-f280287f0729/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba44e470-7144-4dbc-8ad9-aa557bb01df6
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1229757
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff/
Threat name:
Win32.Trojan.Lockbit
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 06:30:14 UTC
File Type:
PE (Exe)
Extracted files:
67
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkiednflxbgz3bpzp2ykn6toe2s37de7sabrmqybgtpwzz5fu37q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230510-g9glzage4v/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
bb5b617cf638914bf2515aed09eee2c5bb336f300bc663cc2c26d66b0e5196e2
MD5 hash:
1d9e9234c375b27c83b1018e6a3c377c
SHA1 hash:
751c22dc628f8761079b1421380a2b565c2a1f74
Link:
https://www.unpac.me/results/ea258af4-6467-4296-acee-b54d95e35259/
SH256 hash:
69bd1a178cdbb00b7be51478f27af04a3601ff5db6e8bfabe2897314ace36b84
MD5 hash:
2126b312e0a1d2d736784d78d5a3034a
SHA1 hash:
5d053bf2bc0feb9a8f296a7a0f9093f1679aeeb8
Link:
https://www.unpac.me/results/ea258af4-6467-4296-acee-b54d95e35259/
SH256 hash:
529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff
MD5 hash:
99a13c2b237deb6922cf6695bd9a82aa
SHA1 hash:
123e6c456c23769d7ca4fd3c628ec5dbb8bf1794
Link:
https://www.unpac.me/results/ea258af4-6467-4296-acee-b54d95e35259/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 529041b4abb84d9d85f97eb0a6fa6e26a5bf8c9f900316430134df6ce7a5a6ff

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/388026/
  
URLhaus
https://urlhaus.abuse.ch/url/2628122/

Comments


Avatar
zbet commented on 2023-05-10 06:29:05 UTC

url : hxxp://146.19.173.221/file24si.exe