MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e009b5419bf7c8a2155865b15a8a113779c9b1713df92b6b3d56fa038afe2a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e009b5419bf7c8a2155865b15a8a113779c9b1713df92b6b3d56fa038afe2a7
SHA3-384 hash: 8257366c9255a583f195288a3f1ab321bc6244e7906cb1b2ecea3f93c28c359473a27c8a7998ece49d8a75bcb9fad603
SHA1 hash: 0728442a4057cab594cd3fbc524569700ec3fc31
MD5 hash: cae73e84394cbd81ea4b174345d7f855
humanhash: washington-oranges-mobile-lithium
File name:GiftCard.pdf.msi
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'481'600 bytes
First seen:2024-07-09 16:38:02 UTC
Last seen:2024-07-09 17:23:11 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:zlujyuyuB3t/UluZEPhRQ0ihrKA5zagG:zlujyu/P/UluqDwF
Threatray 360 similar samples on MalwareBazaar
TLSH T1A8F53375FA98A6BFC862D67A089F0788D423FE80DD1DC46C9D4F346C35F79429AA0871
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Anonymous
Tags:DanaBot msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.10853.9015.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668d676b2207f037a366d948win10vpnfull_triage
Tags:
Network Stealth
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer masquerade packed
Link:
https://www.filescan.io/uploads/668d676fa2d150e570564906/reports/88ac0726-18d6-4c07-affa-4de90980a956/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/6e009b5419bf7c8a2155865b15a8a113779c9b1713df92b6b3d56fa038afe2a7
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6e009b5419bf7c8a2155865b15a8a113779c9b1713df92b6b3d56fa038afe2a7
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1470262
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Enables a proxy for the internet explorer
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Registers a new ROOT certificate
Sets a proxy for the internet explorer
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1470262 Sample: GiftCard.pdf.msi Startdate: 09/07/2024 Architecture: WINDOWS Score: 100 48 206.23.85.13.in-addr.arpa 2->48 50 157.123.68.40.in-addr.arpa 2->50 66 Antivirus detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected DanaBot stealer dll 2->70 72 3 other signatures 2->72 10 msiexec.exe 74 29 2->10         started        13 msiexec.exe 5 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 36 C:\Program Files (x86)behaviorgraphzisXIFfq\OHTKXU.dll, PE32 10->36 dropped 17 rundll32.exe 4 10->17         started        process6 dnsIp7 46 127.0.0.1 unknown unknown 17->46 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->58 60 Registers a new ROOT certificate 17->60 62 May use the Tor software to hide its network traffic 17->62 64 Adds a directory exclusion to Windows Defender 17->64 21 rundll32.exe 12 386 17->21         started        signatures8 process9 dnsIp10 52 91.92.246.63, 4522, 63288 THEZONEBG Bulgaria 21->52 54 46.30.45.192, 4522, 49731, 49896 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 21->54 56 85.208.108.134, 4522, 64998 ENZUINC-US Netherlands 21->56 34 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 21->34 dropped 74 System process connects to network (likely due to code injection or exploit) 21->74 76 Tries to steal Instant Messenger accounts or passwords 21->76 78 Overwrites Mozilla Firefox settings 21->78 80 5 other signatures 21->80 26 rundll32.exe 21->26         started        30 powershell.exe 21->30         started        file11 signatures12 process13 file14 38 C:\Users\user\AppData\...\key4.db-journal, SQLite 26->38 dropped 40 C:\Users\user\AppData\Roaming\...\key4.db, SQLite 26->40 dropped 42 C:\Users\user\AppData\...\cert9.db-journal, SQLite 26->42 dropped 44 C:\Users\user\AppData\Roaming\...\cert9.db, SQLite 26->44 dropped 82 Overwrites Mozilla Firefox settings 26->82 84 Tries to harvest and steal browser information (history, passwords, etc) 26->84 86 Installs new ROOT certificates 30->86 88 Loading BitLocker PowerShell Module 30->88 32 conhost.exe 30->32         started        signatures15 process16
Score:
97%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/6e009b5419bf7c8a2155865b15a8a113779c9b1713df92b6b3d56fa038afe2a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e009b5419bf7c8a2155865b15a8a113779c9b1713df92b6b3d56fa038afe2a7/
Threat name:
Win32.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2024-07-09 16:39:06 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nyajwvazx56iuikvqznrlkfbcn3zzgyxcppzfnvt2vx2aofp4ktq._file
Verdict:
malicious
Similar samples:
5f24b7934a1981d24700049056dca1be14a19db32779a97ca19766f218e47c0f
DanaBot
77922fc0233a99e959855ff093fc127dbee170208751f6c1fab6ed46a02f8f1b
DanaBot
7d224e040b9aaf934505f2615b7971bff1d5563252bddeaefb174d0c8fa034de
DanaBot
b86d5ba2ec3c95ad28c63d2c1256a6ce067bbea9b3f2903babe468f53d3838ef
DanaBot
+ 350 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery evasion execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/240709-t5em2avekd/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Checks SCSI registry key(s)
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Enumerates connected drives
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies visibility of file extensions in Explorer
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fcd0692f-db7f-4774-b9e8-d283580791d7
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e009b5419bf7c8a2155865b15a8a113779c9b1713df92b6b3d56fa038afe2a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments