MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f2c67b4f513ee558bc326923753e09bdabfb4fdb2cea8133cdd286d54d62276. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f2c67b4f513ee558bc326923753e09bdabfb4fdb2cea8133cdd286d54d62276
SHA3-384 hash: 3acd47b808d7af1ad77d2e6d26860fe4f2867be6fbba7e0884bb78a980c8a5940a989b661b5f046448913b64455de720
SHA1 hash: 7882407febfac84fcc119d632bb35d5be5e72a86
MD5 hash: 8c1851c953395fe03737835a45963776
humanhash: yellow-twenty-venus-king
File name:8c1851c953395fe03737835a45963776.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'491'456 bytes
First seen:2023-01-02 07:53:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d585add5564b82833bf0e38fc88e1041 (1 x DanaBot)
ssdeep 24576:BVhVEvJbUI/JgsBd0SPkjnPcNonXEYtsY65+1S9VkyYFRm6514j:Bv6jPd8YNoXaY6oc059n
Threatray 4 similar samples on MalwareBazaar
TLSH T19A65222E39DD9730E8D7153A893AAAD02B77BD3483BD179633003A5F1E772C09966613
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9ecedecee6eeee (52 x Smoke Loader, 19 x RedLineStealer, 14 x Amadey)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c1851c953395fe03737835a45963776.exe
Verdict:
No threats detected
Analysis date:
2023-01-02 07:56:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4932af72-05e5-4b47-b016-d0841601bcf8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL-21.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for many windows
Reading critical registry keys
Changing a file
DNS request
Sending a UDP request
Creating a file
Unauthorized injection to a recently created process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63b28d9c40e878e30421fc4e/reports/e2c0e171-de46-4750-9014-00ac45d53787/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccb64330-ec0b-4229-9b3e-d1fc0bccc4a0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1144058
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f2c67b4f513ee558bc326923753e09bdabfb4fdb2cea8133cdd286d54d62276/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-01-01 16:55:32 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4wgpnhvcpxflc6de2jdou7atpnl7nh5wlhkqez43uug2vgwej3a._file
Verdict:
malicious
Similar samples:
3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f
DanaBot
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
DanaBot
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
DanaBot
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
DanaBot
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230102-jrjpqadf86/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
fc180d57b1325d37d55177cc3c001f4ce37afe840436cf04d90d5dac232b52cb
MD5 hash:
e2631f92d83e6961f959767726372767
SHA1 hash:
5d8900b7d493f067ad0027c10b29ac468784c481
Link:
https://www.unpac.me/results/b5f7feb5-cf97-4be3-84df-d3a193d5416e/
SH256 hash:
366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
MD5 hash:
ff6a5732355485b459248f586c2b6945
SHA1 hash:
07da3f03ef18e2eaddfceb050b68e93fd533f7a3
Link:
https://www.unpac.me/results/b5f7feb5-cf97-4be3-84df-d3a193d5416e/
SH256 hash:
5f2c67b4f513ee558bc326923753e09bdabfb4fdb2cea8133cdd286d54d62276
MD5 hash:
8c1851c953395fe03737835a45963776
SHA1 hash:
7882407febfac84fcc119d632bb35d5be5e72a86
Link:
https://www.unpac.me/results/b5f7feb5-cf97-4be3-84df-d3a193d5416e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f2c67b4f513ee558bc326923753e09bdabfb4fdb2cea8133cdd286d54d62276

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments