MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43
SHA3-384 hash: 6486ce633f4eafd5783870db72ac3ea2b19c4210c36f1b079f5dddb10885e745da04c578dc82c599a7c775b06ac57ada
SHA1 hash: 93ff8577a13146091e40349fa523a6f54bd5fa2a
MD5 hash: 3a4299537272d8671d85c99c17918e99
humanhash: uranus-pennsylvania-network-tango
File name:83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43.bin
Download: download sample
Signature DanaBot
Create hunting rule
File size:5'505'008 bytes
First seen:2021-01-25 14:36:04 UTC
Last seen:2021-01-25 17:23:13 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 24e8b613b142e6e7c0c5d1af8e388ac7 (1 x DanaBot)
ssdeep 98304:7P3PKS68enckSbkRQ4QlBgpo/RN7MFUZO9XIMh2YVSPu:7vPKSA7WT6vh
Threatray 3 similar samples on MalwareBazaar
TLSH 3346AF12F740C53AD0660635567BE6B4593FBA201B35C8AFD7E48858CF35780762B2BB
Reporter tildedennis
Tags:DanaBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
510
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113722/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a window
Creating a file in the %temp% directory
Modifying an executable file
Changing a file
Sending a custom TCP request
Sending a UDP request
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/589775
Signature
Bypasses PowerShell execution policy
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343942 Sample: zJvGq2yaj1.bin Startdate: 25/01/2021 Architecture: WINDOWS Score: 72 44 8.8.8.8.in-addr.arpa 2->44 46 localhost 2->46 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 Bypasses PowerShell execution policy 2->56 10 loaddll32.exe 1 2->10         started        signatures3 process4 process5 12 rundll32.exe 10->12         started        14 rundll32.exe 10->14         started        17 rundll32.exe 10->17         started        19 rundll32.exe 10->19         started        signatures6 21 rundll32.exe 8 24 12->21         started        62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->62 26 WerFault.exe 23 9 14->26         started        28 WerFault.exe 9 17->28         started        30 WerFault.exe 2 9 19->30         started        process7 dnsIp8 48 149.129.212.179, 443, 49732 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 21->48 40 C:\Users\user\AppData\...\tmp8756.tmp.ps1, ASCII 21->40 dropped 42 C:\Users\user\AppData\Local\...\Web Data, SQLite 21->42 dropped 58 System process connects to network (likely due to code injection or exploit) 21->58 60 Tries to harvest and steal browser information (history, passwords, etc) 21->60 32 powershell.exe 21->32         started        34 powershell.exe 21->34         started        50 192.168.2.1 unknown unknown 26->50 file9 signatures10 process11 process12 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2021-01-16 12:57:42 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qoth5tiwnoizevnsmryyte6cqsrshclrujgjhhcf4dcsl4zwdjbq._file
Verdict:
unknown
Similar samples:
20d4f5c1aeb9db0c7be6a5c2c88216412225e8419d4374a0e50c92d81c5e67fc
DanaBot
5b1bdf919d0e72fd01aedb1db47b62bbec1fcee7b3fdd9d8856bb39f72f0027f
DanaBot
81b267cb792ea2bff433a3b458a20fb064b092e65d08dabc1844f225a04191d2
DanaBot
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery ransomware spyware
Link:
https://tria.ge/reports/210125-ltafad7e5a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Checks installed software on the system
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
e5883c440d9b4b0d06369665a825e70152fe796f8d16077b0a884b8bc23300fc
MD5 hash:
97687a78eced7b16640a2b02da73518b
SHA1 hash:
35956359cf25ea197f9ea0a0c76346aa8b34f6a8
Link:
https://www.unpac.me/results/a971a6c9-f71b-49a2-a16e-d121a860b5cb/
SH256 hash:
83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43
MD5 hash:
3a4299537272d8671d85c99c17918e99
SHA1 hash:
93ff8577a13146091e40349fa523a6f54bd5fa2a
Link:
https://www.unpac.me/results/a971a6c9-f71b-49a2-a16e-d121a860b5cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113722/

Comments