MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 723d026405da672a37d60b11f87e24f9ecf20d3e66e2cba22b07f73cd46540cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 723d026405da672a37d60b11f87e24f9ecf20d3e66e2cba22b07f73cd46540cc
SHA3-384 hash: 9c93794488dcbf5c37de9edd4babcaba8dca6970c2ac4f7b271c068a409b5b082fb90393f1e33b70f9fd968ed9067153
SHA1 hash: 65943bdd380fe0bdfa2de8ced878c9f643df6d45
MD5 hash: f80b353220bba812e0a50e97eeb05bcd
humanhash: robin-nuts-saturn-ten
File name:f80b353220bba812e0a50e97eeb05bcd.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:5'848'576 bytes
First seen:2023-01-17 14:38:25 UTC
Last seen:2023-01-17 16:35:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ad67a001ac2a7c340f211b760c32e508 (4 x Smoke Loader, 1 x RedLineStealer, 1 x LummaStealer)
ssdeep 98304:8949eQqctjAfHfvc8ML0p5qZcuEKV+hKFwNI2QCRLekxki8LCKU1SsAAfD0O2M3T:pHqc1Af/vc86uUzi0aLeUzeCEAmyrF6H
Threatray 1'617 similar samples on MalwareBazaar
TLSH T1C14633172A94B836C12A1BB2CB3C46D8343EAA703E17C28631908E7F8F743D19E57795
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9a9acedecacacac6 (1 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f80b353220bba812e0a50e97eeb05bcd.exe
Verdict:
Malicious activity
Analysis date:
2023-01-17 14:48:04 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/69807ac1-94af-42bc-b2ad-0e258ff3955a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353856/
Detection(s):
PUA.Win.Packer.NspackDotnetNor-2
Create hunting rule

PUA.Win.Packer.NspackDotnetNor-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Searching for synchronization primitives
Creating a window
Creating a process with a hidden window
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Changing a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60993/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit mokes packed vobfus
Link:
https://www.filescan.io/uploads/63c6b308e56ca96f6d4ff9e3/reports/c0527d3c-c590-450d-9598-e877b027c46d/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8a5fb9c-ca57-47d9-a3a0-830f8bd9ceda
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153164
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected DanaBot stealer dll
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 785909 Sample: R04BGoj9xJ.exe Startdate: 17/01/2023 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected UAC Bypass using CMSTP 2->57 59 3 other signatures 2->59 9 R04BGoj9xJ.exe 5 2->9         started        process3 file4 33 C:\Users\user\AppData\...\Wdswptowyyeh.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\Wdswptowyyeh..tmp, DOS 9->35 dropped 63 Detected unpacking (changes PE section rights) 9->63 65 Detected unpacking (overwrites its own PE header) 9->65 67 Tries to detect virtualization through RDTSC time measurements 9->67 13 Wdswptowyyeh.exe 9->13         started        16 rundll32.exe 2 9->16         started        signatures5 process6 dnsIp7 69 Detected unpacking (changes PE section rights) 13->69 71 Machine Learning detection for dropped file 13->71 19 notepad.exe 13->19         started        37 154.111.17.63, 443, 49769 TUNISIANATN Tunisia 16->37 39 42.25.197.55, 443, 49758 SKTELECOM-NET-ASSKTelecomKR Korea Republic of 16->39 41 9 other IPs or domains 16->41 73 System process connects to network (likely due to code injection or exploit) 16->73 75 Modifies the context of a thread in another process (thread injection) 16->75 77 Tries to detect virtualization through RDTSC time measurements 16->77 23 rundll32.exe 16->23         started        signatures8 process9 file10 31 tmpF0CF.tmp (copy), PE32 19->31 dropped 61 Hides threads from debuggers 19->61 25 chrome.exe 13 3 19->25         started        signatures11 process12 dnsIp13 43 192.168.2.1 unknown unknown 25->43 45 239.255.255.250 unknown Reserved 25->45 28 chrome.exe 25->28         started        process14 dnsIp15 47 googleads.g.doubleclick.net 142.250.180.130, 443, 49732 GOOGLEUS United States 28->47 49 static.doubleclick.net 142.250.180.134, 443, 49733 GOOGLEUS United States 28->49 51 9 other IPs or domains 28->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/723d026405da672a37d60b11f87e24f9ecf20d3e66e2cba22b07f73cd46540cc/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2023-01-17 14:39:08 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oi6qezaf3jtsun6wbmi7q7re7hwpedj6m3rmxirla73tzvdfidga._file
Verdict:
malicious
Similar samples:
1f984f06dd4dba858766fd2e8d81877e9738f8b9dc6706ce69b7b6e596c466d6
DanaBot
3af27ce24861a032e7437eaf39c59930c950dd1aabb371c1e9c0ff4bbbd0ae0f
DanaBot
4e92875fda924c97345692089644a87181ea46401d8249639f30eff2970d4f45
DanaBot
51c7f3e3637dfe07b6b51c46947926a2b6b44dcc81c7d6f783c94b49f2b12113
DanaBot
5bf63fb0014e66cda124ae8d9a2275e8a1c98704e8885c4aadadf74fdb162920
DanaBot
728ebb1ea9bfd9b3c3e6d904a85c10c309d2609defce00f10a4866b7a16116d1
DanaBot
8f6df7df63e769169784c8909e9138c0aa632cc23a24ecb61496fa152230ae07
DanaBot
b97b6e16154d9e6fc147031cd3308333a6ae7345a5bc9d2040e5f5abff5d7e8d
DanaBot
c3830943b84d673605e51fa61c410f0ad90a9cc0e2eb0add0609bbb11d2ce16b
DanaBot
+ 1'607 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/230117-r1bdpshd98/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
25b4aaefc9e912bbfd65dd9377d4a801015c09bec57aed727395e74bf19cc0ec
MD5 hash:
b0e3ab3352f154b28b9e276fed2325df
SHA1 hash:
02f9d395c3bba4e72eefa04556fde72b08c66e31
Link:
https://www.unpac.me/results/7b452524-8771-41c8-8f56-b4178f8fd59b/
SH256 hash:
2d61e747c8383bd41aa4d5182483a4864598a1d0d4ea71c319a674eafd07ae74
MD5 hash:
ad90c5b947650fd8a20e6f47de053ab2
SHA1 hash:
ac2b2bef9767371a207626f5a1e6e82080eaa521
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/7b452524-8771-41c8-8f56-b4178f8fd59b/
SH256 hash:
5f8e720f9246cd956990fc4d2a9ee9fb81069ac88d2a65adae1cddb40469a67d
MD5 hash:
e798afd559434922d38f70ec340caf2d
SHA1 hash:
17eb3130ca1f6fa9abb7e01d716da8eb57434973
Link:
https://www.unpac.me/results/7b452524-8771-41c8-8f56-b4178f8fd59b/
SH256 hash:
723d026405da672a37d60b11f87e24f9ecf20d3e66e2cba22b07f73cd46540cc
MD5 hash:
f80b353220bba812e0a50e97eeb05bcd
SHA1 hash:
65943bdd380fe0bdfa2de8ced878c9f643df6d45
Link:
https://www.unpac.me/results/7b452524-8771-41c8-8f56-b4178f8fd59b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/723d026405da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/723d026405da672a37d60b11f87e24f9ecf20d3e66e2cba22b07f73cd46540cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_sinowal_w1
Create hunting rule
Author:Seth Hardy
Description:Quarian code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 723d026405da672a37d60b11f87e24f9ecf20d3e66e2cba22b07f73cd46540cc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2510421/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/353856/

Comments