MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72cb26ac08fa4ba35112a093b506eb97f730537f9a011a20ad8049d4da6fcb77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72cb26ac08fa4ba35112a093b506eb97f730537f9a011a20ad8049d4da6fcb77
SHA3-384 hash: 97ef30ddf12524d6ec6ab1e227c6e0d9500e1f5267e186adf737232dfee78971cb06d4aa86c250ed41c001596adb3a65
SHA1 hash: 8106d808d0199d230b5943f15b1d85d05334d3ea
MD5 hash: 8fba92e7730c734197c8e5977533df77
humanhash: cold-salami-florida-river
File name:8fba92e7730c734197c8e5977533df77.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:998'400 bytes
First seen:2022-04-20 06:42:52 UTC
Last seen:2022-04-20 10:21:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c6e11cdeac4fe163051ba996818a46c7 (1 x ArkeiStealer, 1 x Stop, 1 x AZORult)
ssdeep 24576:jhkfnFt1hxdJDDbhOPpielc4c1GBPvU2V:tk/1bdJDnhOxJlc4c+7
Threatray 12'185 similar samples on MalwareBazaar
TLSH T1B225233273D5C932C0F761385469B9919DBF74B2727140DB6E44232A6EB06D209FAB8F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 480c3c4c4f594b14 (22 x Smoke Loader, 16 x RedLineStealer, 10 x Tofsee)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
657
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264810/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.15933.26635.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a window
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/625fab7c482f2f41cad759fb/reports/4fea505d-7626-4de7-ac0c-871e641a2d68/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e25b832-96e2-48b1-bf1b-542a03f9023e
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/979332
Signature
Delayed program exit found
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72cb26ac08fa4ba35112a093b506eb97f730537f9a011a20ad8049d4da6fcb77/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 07:48:26 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
34 of 42 (80.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=olfsnlai7jf2guisucj3kbxls73tau37tiaruifnqbe5jwtpzn3q._file
Verdict:
malicious
Similar samples:
0f8d2648166184bde6562f33b7e4b620313fe7a21746720d37594213fba7a604
DanaBot
2650817e2703b15c7e6fbf4d4caace2066f50db88fc96862190c4daf32d186e7
DanaBot
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
DanaBot
343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50
DanaBot
7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95
DanaBot
a0a944db45538f11089813fd89eeed36cdefa6204e52ba305251832ed0045860
DanaBot
b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94
DanaBot
cf57cc27a823806f6012096ebd1eca04ca4d6a837b664c829a9d037d821d7f86
DanaBot
cfb04c54f0c8648d9b43d05803f1816769fa8a37aff362141f939c001c361907
DanaBot
+ 12'175 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220420-hgxcdshgam/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
0b552f0af2b80fe0222b849e9759ca94c8b408927078f6bf807e62475f16af58
MD5 hash:
54219093d404b40237d1d056381ea307
SHA1 hash:
d76eef34fb8455cd4861c59ecc2b0f630b926f58
Link:
https://www.unpac.me/results/5f58da00-1378-4dca-a83e-fec3eb78ad65/
SH256 hash:
72cb26ac08fa4ba35112a093b506eb97f730537f9a011a20ad8049d4da6fcb77
MD5 hash:
8fba92e7730c734197c8e5977533df77
SHA1 hash:
8106d808d0199d230b5943f15b1d85d05334d3ea
Link:
https://www.unpac.me/results/5f58da00-1378-4dca-a83e-fec3eb78ad65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72cb26ac08fa4ba35112a093b506eb97f730537f9a011a20ad8049d4da6fcb77

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264810/

Comments