MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
SHA3-384 hash: d95cdbdff014119e85db6818882a9f5ab676cf91e0b85b586deffd0417edbf94a01d11cc608014a3589ca6a40466e34e
SHA1 hash: 2e8c54593b569fe814e1832b9178458a1a29502b
MD5 hash: 9240aca1f525f6e95cda49f229c524a9
humanhash: princess-mockingbird-vegan-cola
File name:8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
Download: download sample
Signature DanaBot
Create hunting rule
File size:16'043'294 bytes
First seen:2024-10-01 11:47:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 63ed59597dad42eeec3f01fae0ba2a2e (2 x Mydoom, 1 x DanaBot)
ssdeep 393216:1ZNVjchuWAR4qmA0ME5py3stm+VtSLuosYc4/sOG5PE:XNVjchuWARCVdA3sto6oT/sOG9E
Threatray 1 similar samples on MalwareBazaar
TLSH T13CF6F131764AC86BD56621B0293CAAAE911C7D360B711CC7B3EC7D5A17758C32633E2B
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter JAMESWT_WT
Tags:23-95-182-47 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
Verdict:
Malicious activity
Analysis date:
2024-10-01 12:04:10 UTC
Tags:
danabot stealer danabot-unpacked
Link:
https://app.any.run/tasks/66a39928-7d54-4d60-b839-7533f03a706f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.27697.9969.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fbe17d936bd9db877218e8
Tags:
Danabot Gumen
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Restart of the analyzed sample
Launching a process
Searching for synchronization primitives
Searching for the window
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm epmicrosoft_visual_cc expand fingerprint lolbin microsoft_visual_cc msiexec overlay packed packed setupapi shell32
Link:
https://www.filescan.io/uploads/66fbe177718049dcaee51831/reports/8b983ad8-4414-4f64-9d24-7845b7dc327f/overview
Verdict:
Malicious
Labled as:
Trojan.Cryptnot
Link:
https://www.hybrid-analysis.com/sample/8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
Result
Verdict:
UNKNOWN
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6afd274-30c6-4e54-810c-8045134f13cb
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1523337
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Contains functionality to infect the boot sector
Loading BitLocker PowerShell Module
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523337 Sample: CEjWMdiJnR.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 63 vip.bitwarsoft.com 2->63 71 Suricata IDS alerts for network traffic 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 6 other signatures 2->77 9 msiexec.exe 24 50 2->9         started        12 CEjWMdiJnR.exe 57 2->12         started        14 EasePaint.exe 2->14         started        signatures3 process4 file5 41 C:\Windows\Installer\MSID5A4.tmp, PE32 9->41 dropped 43 C:\Windows\Installer\MSID564.tmp, PE32 9->43 dropped 45 C:\Windows\Installer\MSID525.tmp, PE32 9->45 dropped 53 10 other files (9 malicious) 9->53 dropped 16 EasePaint.exe 1 20 9->16         started        20 msiexec.exe 9->20         started        22 msiexec.exe 9->22         started        47 C:\Users\user\AppData\Roaming\...\ycomuiu.dll, PE32 12->47 dropped 49 C:\Users\user\AppData\Roaming\...\update2.dll, PE32 12->49 dropped 51 C:\Users\user\AppData\Roaming\...\libcurl.dll, PE32 12->51 dropped 55 9 other files (4 malicious) 12->55 dropped 24 CEjWMdiJnR.exe 4 12->24         started        process6 dnsIp7 57 79.141.165.150, 443, 49740, 49742 HZ-NL-ASGB Bulgaria 16->57 59 23.95.182.47, 443, 49739, 49741 AS-COLOCROSSINGUS United States 16->59 61 2 other IPs or domains 16->61 65 May use the Tor software to hide its network traffic 16->65 67 Adds a directory exclusion to Windows Defender 16->67 27 cmd.exe 1 16->27         started        30 WmiPrvSE.exe 1 16->30         started        39 C:\Users\user\AppData\Local\...\shiD08D.tmp, PE32+ 24->39 dropped 32 msiexec.exe 2 24->32         started        file8 signatures9 process10 signatures11 79 Adds a directory exclusion to Windows Defender 27->79 34 powershell.exe 27->34         started        37 conhost.exe 27->37         started        process12 signatures13 69 Loading BitLocker PowerShell Module 34->69
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d/
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Suspicious
First seen:
2024-09-26 19:58:38 UTC
File Type:
PE (Exe)
Extracted files:
102
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4siepaqjo5u5q7xdexkyhexwsbp2eu6ovicahfxpsxaybtkwcoq._file
Verdict:
malicious
Label(s):
crutch
Create hunting rule
Similar samples:
8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
DanaBot
error
DanaBot
Result
Malware family:
n/a
Score:
  7/10
Tags:
bootkit discovery persistence
Link:
https://tria.ge/reports/241001-nygads1hkd/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/768d072b-4b39-42e9-9b3e-1174a860464b
Unpacked files
SH256 hash:
44d8f2a139683a90add8e1e290a9dc558abfde43c93aba9b500b1af453b8097d
MD5 hash:
8c1fcbab52bf21fd47d8226578175cb0
SHA1 hash:
067517304c6f12dcd7d4c1f479edb415663b3c60
Link:
https://www.unpac.me/results/b0acad91-bc2b-4771-892f-616be431c251/
SH256 hash:
8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d
MD5 hash:
9240aca1f525f6e95cda49f229c524a9
SHA1 hash:
2e8c54593b569fe814e1832b9178458a1a29502b
Link:
https://www.unpac.me/results/b0acad91-bc2b-4771-892f-616be431c251/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8724823c104bbb4ec3f7192eac1c97b482fd129e7550201cb77cae0c066ab09d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments