MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1
SHA3-384 hash: cd60e4bd445eef2c8ccc2238ffa4d55ec0d86836b309371b4118f9da572554cb6c0c2b7e8174dd8a4ed6c46bdf746193
SHA1 hash: e4e7d35342ad925c3777648dcc5b928996c5132a
MD5 hash: 0f98fd6b7bf409d245491235c3b3a235
humanhash: monkey-vermont-double-carbon
File name:8f.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'987'968 bytes
First seen:2023-12-29 12:56:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 601703ff6bf1fccb6a916d7776a11fa1 (2 x SchoolBoy, 1 x DanaBot)
ssdeep 98304:JO6busnsQw2+V6joFxBY0NX3UHdq+pqmav:J7bussB2I6joFjY0NkHHsmav
Threatray 17 similar samples on MalwareBazaar
TLSH T13506E036F284A53EC4AE05394637A694D57FB762B51ACC1B96E008CCCF690807E3B65F
TrID 58.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
14.7% (.EXE) Win64 Executable (generic) (10523/12/4)
9.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter 0x746f6d6669
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Creating a service
Modifying a system file
Changing a file
Launching a service
Restart of the analyzed sample
Adding a root certificate
Setting a new proxy server as a default one
Enabling the use of the proxy server
Creating a file in the %AppData% subdirectories
Modifying an executable file
Creating a file
Sending a UDP request
Creating a file in the %temp% directory
Reading critical registry keys
Using the Windows Management Instrumentation requests
Enabling autorun for a service
Changing critical settings of the Internet Explorer browser
Stealing user critical data
Unauthorized injection to a system process
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys danabot packed
Link:
https://www.filescan.io/uploads/658ec21ef4b6e5e1635ef7c7/reports/2e44dcd3-3cdb-4dd8-bfdd-0b096f99ec53/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1249cef-0d57-4176-a6d2-ca854f389a0f
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367979
Signature
Antivirus / Scanner detection for submitted sample
Enables a proxy for the internet explorer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1367979 Sample: 8f.exe Startdate: 29/12/2023 Architecture: WINDOWS Score: 100 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected DanaBot stealer dll 2->75 77 Machine Learning detection for sample 2->77 8 8f.exe 4 2->8         started        11 8f.exe 2->11         started        process3 signatures4 83 May use the Tor software to hide its network traffic 8->83 13 rundll32.exe 19 214 8->13         started        18 rundll32.exe 11->18         started        process5 dnsIp6 65 185.225.69.230, 433, 49732, 50447 NET23-ASHU Hungary 13->65 67 185.225.69.33, 443, 49729 NET23-ASHU Hungary 13->67 69 2 other IPs or domains 13->69 55 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 13->55 dropped 57 C:\Users\user\AppData\Roaming\...\pkcs11.txt, ASCII 13->57 dropped 59 C:\Users\user\AppData\...\permissions.sqlite, SQLite 13->59 dropped 61 15 other malicious files 13->61 dropped 85 System process connects to network (likely due to code injection or exploit) 13->85 87 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->87 89 Tries to steal Instant Messenger accounts or passwords 13->89 91 7 other signatures 13->91 20 rundll32.exe 13->20         started        24 schtasks.exe 13->24         started        26 schtasks.exe 13->26         started        30 28 other processes 13->30 28 8f.exe 18->28         started        file7 signatures8 process9 file10 47 C:\Users\user\AppData\...\key4.db-journal, SQLite 20->47 dropped 49 C:\Users\user\AppData\Roaming\...\key4.db, SQLite 20->49 dropped 51 C:\Users\user\AppData\...\cert9.db-journal, SQLite 20->51 dropped 53 C:\Users\user\AppData\Roaming\...\cert9.db, SQLite 20->53 dropped 79 Overwrites Mozilla Firefox settings 20->79 81 Tries to harvest and steal browser information (history, passwords, etc) 20->81 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 rundll32.exe 28->36         started        39 conhost.exe 30->39         started        41 conhost.exe 30->41         started        43 conhost.exe 30->43         started        45 25 other processes 30->45 signatures11 process12 dnsIp13 63 127.0.0.1 unknown unknown 36->63
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 15:47:41 UTC
File Type:
PE (Exe)
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5lhb2hiiarvxwt2igwmlx4uf6vg5gk76x3d2cnfzljzlevpvkqq._file
Verdict:
malicious
Similar samples:
0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7
DanaBot
3df32d524992f968916e631554d797540648b61e511355cd48dea0f21d09b904
DanaBot
611cad21a5fd2a344b7c6b45a78ac771df952c267812f894707d35fce0c59b13
DanaBot
6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
DanaBot
76036d4aabf28f8a735919c2f9fccf8c4290dd41ff7ebb5d25d08f1278b240bb
DanaBot
858e68680bd069abc15038f92335361700eaf36ac9aa61ff8c54f555eb83939f
DanaBot
8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1
DanaBot
8ffd4fd0e29d6888e9eaf78a6f698436f8a4477cdba8b6271015f7b012d1f8e0
DanaBot
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231229-p6xg1shbe9/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
be2b01232e9f5a9c8bb736ec3380cd8eb2d5b6d582922ac11e2e122981f21328
MD5 hash:
7f292a5efb4ab6681bc008bac379e2ea
SHA1 hash:
6c5807da9136b4bb839ad76bea613892bc0f72e0
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/64f4e9c1-4c82-4338-854a-e03964b36473/
SH256 hash:
8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1
MD5 hash:
0f98fd6b7bf409d245491235c3b3a235
SHA1 hash:
e4e7d35342ad925c3777648dcc5b928996c5132a
Link:
https://www.unpac.me/results/64f4e9c1-4c82-4338-854a-e03964b36473/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments