MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a
SHA3-384 hash:	63f97f4344039e66429bd940ca8764360555a3af97bbfae7512d2f7c41eea9cf8f8a1b0557ab6be4a177f1f37e921378
SHA1 hash:	8491cab5811f09638e146e1dc4526c0e9effca43
MD5 hash:	6e893653c7423df0539e52768c35e717
humanhash:	papa-aspen-lemon-comet
File name:	6e893653c7423df0539e52768c35e717.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'045'504 bytes
First seen:	2022-12-26 17:04:00 UTC
Last seen:	2022-12-26 18:34:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9e625a9baa60a24433313f8e16d3b887 (5 x Smoke Loader, 3 x RedLineStealer, 1 x Tofsee)
ssdeep	24576:TH0/iZ6LO8xC3k0IuHmzfXLunDAQOWIhafNnKDP2:D0/DvDruUigWi
TLSH	T18C25225137A1A0A7CB95183448EEF1E0A35EBCD0CFA54947B2946ACF2F707C486BD272
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9a9ecedecee6eee6 (44 x Smoke Loader, 18 x RedLineStealer, 13 x Tofsee)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6e893653c7423df0539e52768c35e717.exe

Verdict:

Malicious activity

Analysis date:

2022-12-26 17:07:17 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/e1af50ad-2850-41b1-8204-4aaf3244ee17

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Heur.Mint.Zard.52.702.9670.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending an HTTP GET request

Searching for the window

Сreating synchronization primitives

Reading critical registry keys

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

anti-vm greyware packed

Link:

https://www.filescan.io/uploads/63a9d40640e878e30420274b/reports/275c5581-6d33-449f-b2af-1ab06356fd0d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ba4043cc-0228-41ce-94df-b4e904777587

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1141169

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a/

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2022-12-26 16:19:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=npftqif7ybfcnpsbnwknciys5ldq6sg5nm2uupuqcbqgczyzrzna._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

collection discovery persistence spyware stealer

Link:

https://tria.ge/reports/221226-vk9hcagd5v/

Behaviour

Checks processor information in registry

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Sets DLL path for service in the registry

Sets service image path in registry

Unpacked files

SH256 hash:

2a2322636c56b3e42b4d44f423d185069563eb86ecf7d09788c63497dd33878c

MD5 hash:

7ae5a9833a18a2a50beb1a08b9efc8ac

SHA1 hash:

75e63b630331a37ba41c65db8e777cce9145d049

Link:

https://www.unpac.me/results/b8751467-aad5-4fea-a7e1-dd546aedca66/

SH256 hash:

8600ebe697a6d177fd430bddcfdb3948b1534e5828be077ff8038d244270dadc

MD5 hash:

a01c42dc02e3c7e06283ca6cfa8d3427

SHA1 hash:

b069b350cc9dce4ab5a1c1d04dc7f569c83c5cc1

Link:

https://www.unpac.me/results/b8751467-aad5-4fea-a7e1-dd546aedca66/

SH256 hash:

6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a

MD5 hash:

6e893653c7423df0539e52768c35e717

SHA1 hash:

8491cab5811f09638e146e1dc4526c0e9effca43

Link:

https://www.unpac.me/results/b8751467-aad5-4fea-a7e1-dd546aedca66/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6bcb3820bfc04a26be416d94d12312eac70f48dd6b354a3e9010606167198e5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample