MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
SHA3-384 hash: d140a6bfd772b93ce3cb33c97fb32a1ec7dfa5a9a0634101d6a036cca27aa5a99d8e957ce0183dbbc31c3a339c817675
SHA1 hash: 6166c1c65e3bffe5f2d2e22ca31acb1515cfe884
MD5 hash: 270457d008e4e08bc9d5adcef2afdde7
humanhash: single-march-nitrogen-london
File name:270457d008e4e08bc9d5adcef2afdde7
Download: download sample
Signature DanaBot
Create hunting rule
File size:7'003'136 bytes
First seen:2022-12-31 11:47:04 UTC
Last seen:2022-12-31 14:30:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a8a37b9dbba75dee024eac98b7bda623 (2 x DanaBot, 2 x RedLineStealer)
ssdeep 196608:X29FOBZDPZRdbt/tYk8Ofg4imyCD2RIRN1P:X29wBZTjH/tYNGdii4A
TLSH T1C46633323954D832C03598B59F24E6D426296830ED639447FBD01FAD9F3BBAA45C8B4F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9ecececee6cee6 (14 x Smoke Loader, 5 x RedLineStealer, 5 x CoinMiner)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
270457d008e4e08bc9d5adcef2afdde7
Verdict:
Malicious activity
Analysis date:
2022-12-31 11:49:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e9bd2e6-971d-4944-b8be-5b023b0a7007

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.52.14254.23930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Changing a file
Creating a file in the %temp% directory
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Creating a process from a recently created file
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware lockbit packed
Link:
https://www.filescan.io/uploads/63b021750e926711fd75fc91/reports/3c1d7cec-3219-4424-a24c-616f193ca564/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5aab1534-d94e-49c5-a1f2-bc4cba8357b6
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143529
Signature
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 776259 Sample: DgXXuttghF.exe Startdate: 31/12/2022 Architecture: WINDOWS Score: 100 61 clients2.google.com 2->61 63 clients.l.google.com 2->63 65 accounts.google.com 2->65 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected UAC Bypass using CMSTP 2->85 87 3 other signatures 2->87 10 DgXXuttghF.exe 5 2->10         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\Otfhfhweptay.tmp, DOS 10->57 dropped 59 C:\Users\user\AppData\...\Otfhfhweptay.exe, PE32 10->59 dropped 13 rundll32.exe 8 24 10->13         started        17 Otfhfhweptay.exe 10->17         started        19 WerFault.exe 16 10->19         started        22 6 other processes 10->22 process6 dnsIp7 75 66.85.173.3, 443, 62626 SSASN2US United States 13->75 77 91.186.125.111, 443, 62629 KANAL7-ASMTSPJSCMRSibirNorilskRU Russian Federation 13->77 79 5 other IPs or domains 13->79 89 System process connects to network (likely due to code injection or exploit) 13->89 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->91 93 Tries to steal Instant Messenger accounts or passwords 13->93 99 3 other signatures 13->99 24 schtasks.exe 13->24         started        26 schtasks.exe 13->26         started        28 rundll32.exe 13->28         started        95 Multi AV Scanner detection for dropped file 17->95 97 Machine Learning detection for dropped file 17->97 30 notepad.exe 17->30         started        33 WerFault.exe 17->33         started        47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->47 dropped 49 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->49 dropped 51 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->51 dropped 53 C:\ProgramData\Microsoft\...\Report.wer, Unicode 22->53 dropped 55 3 other malicious files 22->55 dropped file8 signatures9 process10 signatures11 35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        101 Hides threads from debuggers 30->101 39 chrome.exe 30->39         started        process12 dnsIp13 67 192.168.11.1 unknown unknown 39->67 69 239.255.255.250, 1900 unknown Reserved 39->69 42 chrome.exe 39->42         started        45 WerFault.exe 39->45         started        process14 dnsIp15 71 accounts.google.com 142.250.181.237, 443, 61364 GOOGLEUS United States 42->71 73 clients.l.google.com 142.250.185.142, 443, 59868 GOOGLEUS United States 42->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 11:48:18 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lp3d7mabjztm3ijev2gzuitv5cq4tbye5cefysvnvx3u7wywfeqa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/221231-nyfc4ahe69/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Gathering data
Unpacked files
SH256 hash:
fc180d57b1325d37d55177cc3c001f4ce37afe840436cf04d90d5dac232b52cb
MD5 hash:
e2631f92d83e6961f959767726372767
SHA1 hash:
5d8900b7d493f067ad0027c10b29ac468784c481
Link:
https://www.unpac.me/results/fb0ef52e-4ec2-4211-bd05-69ade3117278/
SH256 hash:
a0ec4aad9281bd056de9b24d97ca29ce2ae9fdf41cb73e14bc2cd37c85ba7a2b
MD5 hash:
05313858681c62bd3e9a07736b83b481
SHA1 hash:
d052740d5c6a328b79538802380382f01df114e8
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/fb0ef52e-4ec2-4211-bd05-69ade3117278/
Parent samples :
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
SH256 hash:
366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
MD5 hash:
ff6a5732355485b459248f586c2b6945
SHA1 hash:
07da3f03ef18e2eaddfceb050b68e93fd533f7a3
Link:
https://www.unpac.me/results/fb0ef52e-4ec2-4211-bd05-69ade3117278/
SH256 hash:
61cd01c9b49f419fc7735413f0bc75ce9f49472517d11a272d2de5a746d866ec
MD5 hash:
4be03ece98dae87458118dcac2d98528
SHA1 hash:
08c65c05c85ef3c0781e24a8aebe26e1426b2ac0
Link:
https://www.unpac.me/results/fb0ef52e-4ec2-4211-bd05-69ade3117278/
SH256 hash:
c3bccaf5a2b51b78d20853815a16d34f8c394e620cd128db0480eb699015c90f
MD5 hash:
72d9f5cfaaadb666691a9e4120b5418e
SHA1 hash:
b9b925a47f786609e2d349532bd982a1b84941ef
Link:
https://www.unpac.me/results/fb0ef52e-4ec2-4211-bd05-69ade3117278/
SH256 hash:
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
MD5 hash:
270457d008e4e08bc9d5adcef2afdde7
SHA1 hash:
6166c1c65e3bffe5f2d2e22ca31acb1515cfe884
Link:
https://www.unpac.me/results/fb0ef52e-4ec2-4211-bd05-69ade3117278/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5bf63fb0014e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2022-12-31 11:47:13 UTC

url : hxxp://194.135.33.239/politico.exe