MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05
SHA3-384 hash:	1b32f580b15863d8169173e6920c33d1c470272defe157fecce1fc06fb1e19adae4dcb985fed6431c9a1bae629222816
SHA1 hash:	3d98e8501a024dbb0821d73c480f49858f5b4aab
MD5 hash:	98e4420343b3bbca65e43ff3995d77a4
humanhash:	magnesium-lamp-india-california
File name:	72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	3'589'120 bytes
First seen:	2023-05-18 13:57:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	85d599a3cf99c75bc9158189f8cffef1 (7 x RedLineStealer, 5 x Stop, 4 x Glupteba)
ssdeep	98304:gXiavSeLfj2Xq4nIGuvsVRDBu3BbyQmldc:gXfaeLyXbIjoY3BOQY
TLSH	T1CBF52303D3D12DE2EA154A3E9D6A86EC3B9EB6204F4D37DB96588A2F01790B3C573345
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	222342124a120608 (1 x DanaBot)
Reporter	JaffaCakes118
Tags:	DanaBot

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

Vendor Threat Intelligence

Malware family:

danabot

ID:

File name:

72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05

Verdict:

Malicious activity

Analysis date:

2023-05-18 17:02:56 UTC

Tags:

danabot

Link:

https://app.any.run/tasks/1085ba8f-14cc-430b-9342-07483f4390a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29322.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Searching for the window

Launching the default Windows debugger (dwwin.exe)

Creating a window

Searching for synchronization primitives

Sending a custom TCP request

Sending an HTTP GET request

Changing a file

Сreating synchronization primitives

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

0/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/85396/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dd1d20ae-2514-4ceb-8bfa-a55c764d0910

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1235983

Signature

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05/

Threat name:

Win32.Trojan.GenSHCode

Status:

Malicious

First seen:

2023-05-18 08:20:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ok6g7dty7dvmkkoqv4fl33p4q2cy63vbzh2dvilonnlagqyxd4cq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/230518-q9hcyaah9s/

Behaviour

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Blocklisted process makes network request

Unpacked files

SH256 hash:

198d66e05d738f460d1bba94f32279248f95df7801764beeb283c33918572052

MD5 hash:

7ff3e1afca93dd79801b0dd7733c9901

SHA1 hash:

fbdc8d5d6681410677c4e009632050852c2bc326

Link:

https://www.unpac.me/results/21f18438-fbe1-4b37-b706-c50cbe40d736/

SH256 hash:

632d4b6d31600abec7555cff9f90adf88e759c3849c9925ea3532a962f9276ee

MD5 hash:

d938d9e4456ad5ed455da72ac4503d88

SHA1 hash:

eb72bbd4a43411d77688e91d6c52ff350455c38f

Link:

https://www.unpac.me/results/21f18438-fbe1-4b37-b706-c50cbe40d736/

SH256 hash:

72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05

MD5 hash:

98e4420343b3bbca65e43ff3995d77a4

SHA1 hash:

3d98e8501a024dbb0821d73c480f49858f5b4aab

Link:

https://www.unpac.me/results/21f18438-fbe1-4b37-b706-c50cbe40d736/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/72bc6f8e78f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/72bc6f8e78f8eac529d0af0abdedfc86858f6ea1c9f43aa16e6b560343171f05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample