MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28
SHA3-384 hash:	6a083c75e3f5172e9ebc3a53166fd3450392051832f86d9b7af54642488a996f2b5316571442ec0a8da86db1db3f62f2
SHA1 hash:	5aa68ba69c391a3bcc93e88378a4e4818a2a9181
MD5 hash:	2a597d25bbecfca9550df0d6f48bcafb
humanhash:	pasta-beryllium-minnesota-west
File name:	kde.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'235'968 bytes
First seen:	2022-02-25 02:35:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bb691abe2029e4024abbec6edd66f52e (1 x DanaBot, 1 x Smoke Loader)
ssdeep	24576:XPT/TXZ/ngay5PIhCPgI65AzwWK1fraAhdDRjH2Msfwpu:TTpgICiuGfrn7DRjWMVu
Threatray	9'549 similar samples on MalwareBazaar
TLSH	T169451210A792C038E4B756F8897A83A9B92E7DB25B6451C772D426EB57383E0EC31317
File icon (PE):
dhash icon	2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter	adm1n_usa32
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

534

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

kde.exe

Verdict:

Suspicious activity

Analysis date:

2022-02-25 02:34:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/24b47fa8-053e-45cd-bde6-bbacf571feef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/244571/

Detection(s):

Win.Trojan.Generic-9909719-0

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Launching a process

DNS request

Sending an HTTP GET request

Creating a file in the %temp% directory

Сreating synchronization primitives

Unauthorized injection to a system process

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7363/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware mokes packed

Link:

https://www.filescan.io/uploads/6218409a0cd58dbd923807ee/reports/27aedd6a-4cfc-4fe3-a637-73101fdfd4ea/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bbf2905b-d106-43e8-8be8-2900479353f0

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/946149

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-02-25 02:36:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

malicious

DanaBot

2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5

DanaBot

4f4432ad4cc8c5d43dd2fe135717bdd65f417f91ada36cee4ae8f9af0269f8cb

DanaBot

7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

DanaBot

80221beedf16097e3e36392e13b3bae27a6cf0d0190987ca98c72f3e8a3c4ab4

DanaBot

84dcb2e1236f428d52bd4cb3f5d5e7a6c79d44778858012b746c1658b1a844fd

DanaBot

b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba

DanaBot

+ 9'539 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery spyware stealer suricata

Link:

https://tria.ge/reports/220225-c3lvwsfebj/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Reads user/profile data of web browsers

Blocklisted process makes network request

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE Danabot Key Exchange Request

Unpacked files

SH256 hash:

e493bfe27268470e5c6f218c2c66aef818d89e7cb7cb0da7f83d90286ab7d4b9

MD5 hash:

1db9eb92e30240305c6d56e58e900fed

SHA1 hash:

9f2e7fb2c9f13d52f8e0088c163525f8149d7e7a

Link:

https://www.unpac.me/results/4eaceea4-71c1-4ccd-9314-705742117268/

SH256 hash:

532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28

MD5 hash:

2a597d25bbecfca9550df0d6f48bcafb

SHA1 hash:

5aa68ba69c391a3bcc93e88378a4e4818a2a9181

Link:

https://www.unpac.me/results/4eaceea4-71c1-4ccd-9314-705742117268/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/532e3e9ec546/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/244571/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample