MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 7

Intelligence 7 IOCs YARA 14 File information Comments

SHA256 hash:	57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a
SHA3-384 hash:	bd55456809f7e15cbf0956606c2ff958ce973f61146c46d2aa2b6a7c9553eb3f356eb0bfeb8ff80ea4f4862289bc4849
SHA1 hash:	71bbdceca753f1e3174f34278b615cdc03ff38d0
MD5 hash:	f2c49b5ccfee5fb488c57ae7faebf33b
humanhash:	spring-nevada-ten-solar
File name:	SecuriteInfo.com.W32.AIDetect.malware1.3207.9980
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	6'274'048 bytes
First seen:	2021-03-03 22:37:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eceb63b69c1dd50bdaba808c074e317e (1 x ArkeiStealer, 1 x DanaBot)
ssdeep	98304:fdwtMPX1bVxJi9+n8ZIOlIRQyJlwhzL4nCFi+TxPs1eA4cGzAvYpa0zKf9G8X0gT:fSMdbVenZIcTuhnq9LhUYg6Kd0g
TLSH	3E563302E360D039F8A762B4AA7756B8E62BB9B2B334A1CF5AC6E1DD57305D05C70707
Reporter	SecuriteInfoCom
Tags:	DanaBot

Intelligence

File Origin

# of uploads :

# of downloads :

403

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware1.3207.9980

Verdict:

No threats detected

Analysis date:

2021-03-03 22:46:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/73fab95d-68c6-406e-9b69-67ecf5523071

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/122126/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.3207.9980.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Launching a process

Creating a process with a hidden window

Sending a UDP request

Modifying an executable file

Changing a file

Creating a file in the %temp% directory

Sending a custom TCP request

Reading critical registry keys

Forced system process termination

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Searching for the window

DNS request

Deleting a recently created file

Stealing user critical data

Infecting executable files

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/626879

Signature

Bypasses PowerShell execution policy

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Uses schtasks.exe or at.exe to add and modify task schedules

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-03-03 19:19:33 UTC

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k42xwqbio2txf44wghetabracfjso5gyso3j5oogn3r3du4gpmna._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210303-wysqjmhbs2/

Unpacked files

SH256 hash:

059a2e959fd7744b46d01b67d4640a0cb65125a35b5ad61ad41443fdcb37f16a

MD5 hash:

7cd6faf2b39b6576186af33383bd77c8

SHA1 hash:

51e2d504de8683bcbcadbbffc89182fd89525d43

Link:

https://www.unpac.me/results/d20ceda5-2e95-4ddd-8d31-95aa395453b1/

SH256 hash:

ee3ff79ff4bc7531a70db20809e4ff59b0349f5e5cfefa8e0c320a2d04b49843

MD5 hash:

cd1c69d815d236317d191554b8f9be4d

SHA1 hash:

551ceb8e980ba9b11676a75b90ac5947b508f5ed

Link:

https://www.unpac.me/results/d20ceda5-2e95-4ddd-8d31-95aa395453b1/

SH256 hash:

aa344db160577355e791b38471ac57916c3348105a524c709df3486b2f38a427

MD5 hash:

b3b87dcdf8ce961bbcbd053992d97efc

SHA1 hash:

a399fe3c2de83310f7078c0ecfdc85f05aa383d6

Link:

https://www.unpac.me/results/d20ceda5-2e95-4ddd-8d31-95aa395453b1/

SH256 hash:

57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a

MD5 hash:

f2c49b5ccfee5fb488c57ae7faebf33b

SHA1 hash:

71bbdceca753f1e3174f34278b615cdc03ff38d0

Link:

https://www.unpac.me/results/d20ceda5-2e95-4ddd-8d31-95aa395453b1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	hunt_skyproj_backdoor Create hunting rule
Author:	SBousseaden
Reference:	https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor Create hunting rule
Author:	ditekSHen
Description:	Detects PowerShell content designed to retrieve passwords from host

Rule name:	INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword Create hunting rule
Author:	ditekSHen
Description:	Detects PowerShell content designed to retrieve passwords from host

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	MALWARE_Win_DanaBot Create hunting rule
Author:	ditekSHen
Description:	Detects DanaBot variants

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com