MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83c9a8504decec28bc73c3f7130d5aeffe64d2b21982f4afb234ec1f4f51dcd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83c9a8504decec28bc73c3f7130d5aeffe64d2b21982f4afb234ec1f4f51dcd1
SHA3-384 hash: a801acbe8976f0950b51a998dd5d481d9ad437c187293394d4c350a3aec182ce061b2ec03c7ee1b57b66ea424e02214b
SHA1 hash: e6758f3196b02e1fbba8e22ea2076bdc7685c186
MD5 hash: 4ec074c0e895d7b60d4518a25681c1f5
humanhash: sweet-friend-edward-iowa
File name:4ec074c0e895d7b60d4518a25681c1f5.msi
Download: download sample
Signature DanaBot
Create hunting rule
File size:19'644'416 bytes
First seen:2024-09-06 07:25:54 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:TGjIuCBmV96pYU95IbbW+75yf4mjCa6prMnIJvdvxrpcHL:TwymV9UB5Iu+0Amj9Y8INtwH
Threatray 7 similar samples on MalwareBazaar
TLSH T1421733D680AACF69D0D80432A2D88BD89C733C474B464D55731BBB612DBFDC5BAB118E
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:DanaBot msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66daae95f3d7ccf99f90211a
Tags:
Network Stealth
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto fingerprint installer keylogger packed
Link:
https://www.filescan.io/uploads/66daae92e19c06a3e691f871/reports/3bb46200-db7b-4f1d-9437-f5886e22f887/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/83c9a8504decec28bc73c3f7130d5aeffe64d2b21982f4afb234ec1f4f51dcd1
Result
Verdict:
UNKNOWN
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1505452
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505452 Sample: giceHI13Oz.msi Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 42 206.23.85.13.in-addr.arpa 2->42 52 Suricata IDS alerts for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 7 other signatures 2->58 9 msiexec.exe 92 52 2->9         started        12 pdfconv.exe 4 2->12         started        14 msiexec.exe 3 2->14         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\pdfconv.exe, PE32 9->28 dropped 30 C:\Users\user\AppData\Local\...\wrs6.dll, PE32 9->30 dropped 32 C:\Users\user\AppData\Local\...\wps32.dll, PE32 9->32 dropped 34 9 other files (none is malicious) 9->34 dropped 16 pdfconv.exe 11 289 9->16         started        process6 dnsIp7 36 77.238.249.183, 443, 52288, 52293 TELERU-ASRU Russian Federation 16->36 38 89.40.206.111, 443, 52287, 52290 M247GB Romania 16->38 40 2 other IPs or domains 16->40 44 Tries to steal Instant Messenger accounts or passwords 16->44 46 May use the Tor software to hide its network traffic 16->46 48 Tries to harvest and steal browser information (history, passwords, etc) 16->48 50 Adds a directory exclusion to Windows Defender 16->50 20 cmd.exe 1 16->20         started        signatures8 process9 signatures10 60 Adds a directory exclusion to Windows Defender 20->60 23 powershell.exe 23 20->23         started        26 conhost.exe 20->26         started        process11 signatures12 62 Loading BitLocker PowerShell Module 23->62
Score:
39%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/83c9a8504decec28bc73c3f7130d5aeffe64d2b21982f4afb234ec1f4f51dcd1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83c9a8504decec28bc73c3f7130d5aeffe64d2b21982f4afb234ec1f4f51dcd1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qpe2qucn5twcrpdtyp3rgdk2577gjuvsdgbpjl5sgtwb6t2r3tiq._file
Verdict:
malicious
Similar samples:
15f6928d92e45e84173ff103c1d5765c4341537e7b91a271078933bf110c7ba4
DanaBot
7a15dd944f05b7280ae9d297f7707f5ee712821fbae770930bae1539cf9e0b4e
DanaBot
9d25b565f166c9adb610fd56fff3abc551330bb17bad085a61774033cde35d7a
DanaBot
cd3dbac3df5748f3de3c0414d222b4e7d370e77037813541a298646f69513214
DanaBot
f4b1f75feb5864acae90b00168dda506c169334a98bb7a147e33e18725a660a4
DanaBot
fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7
DanaBot
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection credential_access discovery evasion execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/240906-h9jl1atcrp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Enumerates connected drives
Modifies Windows Firewall
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd64eba3-dfe2-42c1-bbee-537426167ddc
Malware family:
CryptBot.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/83c9a8504dec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/83c9a8504decec28bc73c3f7130d5aeffe64d2b21982f4afb234ec1f4f51dcd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Microsoft Software Installer (MSI) msi 83c9a8504decec28bc73c3f7130d5aeffe64d2b21982f4afb234ec1f4f51dcd1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3116351/
  
Delivery method
Distributed via web download

Comments