MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca
SHA3-384 hash: bb5902af43e751fae9e154497b5b2be52b450dbb1b4276584e910a0c0a6babc651d50b6410b17bf9aa9afaf3ba914c63
SHA1 hash: 5bdc488ee5c3139260fad6957fedfd9167427011
MD5 hash: d6b80519cb7c625d200d2899c345c8c6
humanhash: cardinal-cardinal-island-red
File name:SecuriteInfo.com.Win32.SpywareX-gen.216.26731
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'715'072 bytes
First seen:2024-09-15 17:25:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3515998abe0aea14ac46a446bebe93d1 (2 x DanaBot)
ssdeep 49152:RNBYHNB+FpvtioVlIhjVocyP1T8C89G89io3LZWMcuEyhtxUssFaTIQ0IHZTQ5:RNKtwFtDVlIhpnyO966LZ0iOblQ0IC
TLSH T10406E132F244E67EE49E0A39407769A4993F77627916CC5A56F0488CCF3D280777A28F
TrID 58.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
14.7% (.EXE) Win64 Executable (generic) (10523/12/4)
9.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter SecuriteInfoCom
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
acentric.exe
Verdict:
Malicious activity
Analysis date:
2024-09-11 14:09:30 UTC
Tags:
xor-url generic amadey botnet stealer payload loader pastebin metastealer redline stealc cryptbot
Link:
https://app.any.run/tasks/e368a6dc-1077-4d87-aaa7-2dd669f2a5c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.216.26731.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e718ae2ebf76853bd5ce6c
Tags:
Danabot
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
barys danabot embarcadero_delphi fingerprint packed
Link:
https://www.filescan.io/uploads/66e718adede3a801b07eae7d/reports/16625ad8-2e6d-4fab-8f89-5aa1b639a051/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3bd5cd9-5c24-421e-a666-70d256aa8c83
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1511570
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca/
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2024-08-24 10:44:00 UTC
File Type:
PE (Exe)
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmy45bmhfiwud2toggaqmz4q4vwu7mu5le52tikw4eqtgsihthfa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240915-vzvmqsvaje/
Behaviour
Checks processor information in registry
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/665d6b48-6c56-47f7-9d77-d2a5ca388c04
Unpacked files
SH256 hash:
55ee844c644973e44ba4c079d814df0906ada8306ae76f643d27b5e048d9af90
MD5 hash:
415c7fbcd757f05192b60459f9a679ec
SHA1 hash:
fa8f0b05292c8be48bbadd6c51395c069e06788e
Detections:
Danabot
Create hunting rule
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/75c990c8-6beb-47c1-a1bb-6660d6754fd1/
SH256 hash:
9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca
MD5 hash:
d6b80519cb7c625d200d2899c345c8c6
SHA1 hash:
5bdc488ee5c3139260fad6957fedfd9167427011
Link:
https://www.unpac.me/results/75c990c8-6beb-47c1-a1bb-6660d6754fd1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Generic_Threat_d7e5ec2d
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 9b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3174578/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3174617/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileMappingW
kernel32.dll::CreateFileW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
version.dll::GetFileVersionInfoSizeW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::QueryDosDeviceW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW

Comments