MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73
SHA3-384 hash: 4beca4cc8b43f106ef217abe4951e01744d9790fdd4940bab4193351c01b2fceb83debecd94bf02936db7ab22b000753
SHA1 hash: db19d638bb8a73c9f82f90b5e570a66c20c1b5a1
MD5 hash: 23b8b48049242a91942a9ab9b953bcf0
humanhash: fix-blue-illinois-mike
File name:SUKUFXWO.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:8'424'908 bytes
First seen:2025-02-11 06:58:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (21 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 196608:+pp6AyYCVKr7BwzvgIium/X6UiAa2G8lfaG7jhMfKHjT/3bOR6uR:+pp6Ir7BrIPUiVAfaMkKDrb068
Threatray 133 similar samples on MalwareBazaar
TLSH T14E8633827F5068F2C5FC06B98E12A7A9F577E65A76810F97420D5F8E0ED325223170EB
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter JAMESWT_WT
Tags:87-121-221-124 ClickFix DanaBot exe FakeCaptcha Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
410
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://concernguest74549.com/
Verdict:
Malicious activity
Analysis date:
2025-02-11 05:15:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b249983-bfc7-4bf7-b28d-56a48b326990

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67aaf581f667f46cd182f04a
Tags:
danabot spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Launching a process
Sending a custom TCP request
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73
Result
Verdict:
MALICIOUS
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/867d519d-b636-4623-a13e-cbd9ce8df7cc
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1611799
Signature
Contains functionality to infect the boot sector
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1611799 Sample: SUKUFXWO.exe Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 3 other signatures 2->77 9 SUKUFXWO.exe 10 2->9         started        13 AppCheck.exe 1 2->13         started        process3 file4 39 C:\Users\user\vcruntime140.dll, PE32+ 9->39 dropped 41 C:\Users\user\msvcp140.dll, PE32+ 9->41 dropped 43 C:\Users\user\mfc140u.dll, PE32+ 9->43 dropped 45 C:\Users\user\AppCheck.exe, PE32+ 9->45 dropped 89 Drops PE files to the user root directory 9->89 15 AppCheck.exe 7 9->15         started        91 Maps a DLL or memory area into another process 13->91 93 Found direct / indirect Syscall (likely to bypass EDR) 13->93 19 cmd.exe 2 13->19         started        signatures5 process6 file7 49 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 15->49 dropped 51 C:\Users\user\AppData\...\msvcp140.dll, PE32+ 15->51 dropped 53 C:\Users\user\AppData\Roaming\...\mfc140u.dll, PE32+ 15->53 dropped 55 C:\Users\user\AppData\...\AppCheck.exe, PE32+ 15->55 dropped 63 Contains functionality to infect the boot sector 15->63 65 Found direct / indirect Syscall (likely to bypass EDR) 15->65 21 AppCheck.exe 1 15->21         started        57 C:\Users\user\AppData\Local\Temp\lgttotdabr, PE32 19->57 dropped 67 Injects code into the Windows Explorer (explorer.exe) 19->67 69 Writes to foreign memory regions 19->69 24 explorer.exe 4 19->24         started        27 conhost.exe 19->27         started        signatures8 process9 dnsIp10 83 Contains functionality to infect the boot sector 21->83 85 Maps a DLL or memory area into another process 21->85 87 Found direct / indirect Syscall (likely to bypass EDR) 21->87 29 cmd.exe 4 21->29         started        61 127.0.0.1 unknown unknown 24->61 signatures11 process12 file13 47 C:\Users\user\AppData\Local\...\imikorvegxvli, PE32 29->47 dropped 95 Injects code into the Windows Explorer (explorer.exe) 29->95 97 May use the Tor software to hide its network traffic 29->97 99 Writes to foreign memory regions 29->99 101 3 other signatures 29->101 33 explorer.exe 4 29->33         started        37 conhost.exe 29->37         started        signatures14 process15 dnsIp16 59 87.121.221.124, 443, 61557, 61558 TING-WIRELESSUS Bulgaria 33->59 79 System process connects to network (likely due to code injection or exploit) 33->79 81 Switches to a custom stack to bypass stack traces 33->81 signatures17
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73/
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2025-02-11 05:02:56 UTC
File Type:
PE (Exe)
Extracted files:
1095
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfuoojmxs6pp2aup4mla5btutqkvh5lglxnl3dnyxnxm3jaa7vzq._file
Verdict:
malicious
Label(s):
danabot
Create hunting rule
idatloader
Create hunting rule
Similar samples:
255262d443f57a58458117d1186b48f70cf884a2f8fa3e49f9c5d38ae67c4659
DanaBot
2ef2d5e126c0508e5a8d9d4d9fa08d60d4987b4ca401a8d2d62c89a8ef4bcc0f
DanaBot
322a2b32005029ca49715f5d66f87e5a2b446dd5106b0397d3c7b11766f28c8d
DanaBot
346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d
DanaBot
478f2217eec481432feda4860d9499f6a5109604fab08c305ba7d1a193082914
DanaBot
4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183
DanaBot
68387cba37fa58eeab0ae343b68b5d135c9025767eae462c73fccf33667ea974
DanaBot
8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73
DanaBot
ce8eb3f6ba7773ff7460985a2b7ff7bbaa38d1079bae650d69844281fda267cb
DanaBot
error
DanaBot
+ 123 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/250211-hr6ntayrgq/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0a506e92-2eed-432a-9c1f-78f15c02cc92
Unpacked files
SH256 hash:
8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73
MD5 hash:
23b8b48049242a91942a9ab9b953bcf0
SHA1 hash:
db19d638bb8a73c9f82f90b5e570a66c20c1b5a1
Link:
https://www.unpac.me/results/b201480d-b11d-4125-9147-5d4508055582/
SH256 hash:
517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094
MD5 hash:
9ff712c25312821b8aec84c4f8782a34
SHA1 hash:
1a7a250d92a59c3af72a9573cffec2fcfa525f33
Link:
https://www.unpac.me/results/b201480d-b11d-4125-9147-5d4508055582/
SH256 hash:
ea987229c8d4e647e0b5a0d6dd08cce9d15e78f74cb5fb5c86a7e9ea6a5ecc82
MD5 hash:
12036e16310e548a54053aa871464557
SHA1 hash:
596411a182c5de8a68d7d93efda26f1158c33666
Link:
https://www.unpac.me/results/b201480d-b11d-4125-9147-5d4508055582/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8168e7259797/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 8168e72597979efd028fe3160e86749c1553f5665ddabd8db8bb6ecda400fd73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3435839/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments