MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95
SHA3-384 hash: 7d36753ba11b4b7d4ef1ca93013e14d498e8edb20ad0fb6e366ac2bd8bc913d3e94a96b19089918a66b3a12430cb8eac
SHA1 hash: 8048c28c586596b754875190079a9bf35c0fbecc
MD5 hash: 9b114998d0639e860dc1aecc458f8377
humanhash: purple-golf-pip-georgia
File name:9b114998d0639e860dc1aecc458f8377
Download: download sample
Signature DanaBot
Create hunting rule
File size:998'400 bytes
First seen:2022-04-19 11:36:34 UTC
Last seen:2022-04-20 10:21:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cf51b7369ef0b905b80a8d052c9cffd (1 x DanaBot, 1 x Smoke Loader)
ssdeep 24576:8v8lby3VhMc3eexe9oww0X5mIT0FBnzommvQ5:w8CMcTe9DxX5me0F5Tm4
Threatray 12'158 similar samples on MalwareBazaar
TLSH T1CD2523143BA1D871E1BF32306D6082E16A387D3321B2170ABB94779F7E7178257AA717
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
662
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264597/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.3384.4408.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/625e9edf482f2f41cad18ce7/reports/5835694d-4ca9-4e41-ae9d-16c9c97ad3a9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0edacb3-a126-43f2-8396-5d9c8ab5e633
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/978802
Signature
Delayed program exit found
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611289 Sample: 1eQgz9xtPt Startdate: 19/04/2022 Architecture: WINDOWS Score: 88 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected DanaBot stealer dll 2->38 40 Machine Learning detection for sample 2->40 42 2 other signatures 2->42 6 1eQgz9xtPt.exe 3 2->6         started        process3 signatures4 44 Overwrites code with function prologues 6->44 46 Tries to detect virtualization through RDTSC time measurements 6->46 9 rundll32.exe 13 6->9         started        14 WerFault.exe 9 6->14         started        16 WerFault.exe 9 6->16         started        18 4 other processes 6->18 process5 dnsIp6 34 192.236.176.108, 443, 49738 HOSTWINDSUS United States 9->34 20 C:\Users\user\AppData\Local\...\Wysrrtpeu.tmp, DOS 9->20 dropped 48 System process connects to network (likely due to code injection or exploit) 9->48 50 Tries to detect virtualization through RDTSC time measurements 9->50 52 Delayed program exit found 9->52 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->32 dropped file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 11:37:09 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
33 of 41 (80.49%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
157757f5065076824ea142b1e3910b51326149a0a457f986cc4270b5fec1d319
DanaBot
227d3c5db3775b35dd5f537583396cbbf29dba49eabc3d30c512a8c0b3565e61
DanaBot
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
DanaBot
343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50
DanaBot
a0a944db45538f11089813fd89eeed36cdefa6204e52ba305251832ed0045860
DanaBot
a229aee8edf8ebb3b5e3e418879641216f49d6e00f8358a0debd4c00ddf825e9
DanaBot
b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94
DanaBot
d5faba20007266314cf176b9e49ccbc35c3fd2b0982fcd73f7b5794539b42e89
DanaBot
e1511e934906072c0717e68c0a05b04c61846f7ad15ce323b61f854a24c86b15
DanaBot
+ 12'148 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220419-nq5b9aebhl/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
da27ff73d8aead00f5a4f02125e9579fd2e03d81bb6d392da8263e8a506aeb86
MD5 hash:
5fd06f0a453bce02d4e792c6602f52a4
SHA1 hash:
3f1692c21706d98c24e0388d1f4c12d80ede979a
Link:
https://www.unpac.me/results/92f10af5-445c-44e0-b24e-2a016a356120/
SH256 hash:
7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95
MD5 hash:
9b114998d0639e860dc1aecc458f8377
SHA1 hash:
8048c28c586596b754875190079a9bf35c0fbecc
Link:
https://www.unpac.me/results/92f10af5-445c-44e0-b24e-2a016a356120/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2154825/
Cape
Cape
https://www.capesandbox.com/analysis/264597/

Comments


Avatar
zbet commented on 2022-04-19 11:36:39 UTC

url : hxxp://192.169.7.234/hostads.exe