MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a809b6ffd9241ec430d4ab5c866566365b642a9e553f811cbf5f3dc5acdd0ce5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a809b6ffd9241ec430d4ab5c866566365b642a9e553f811cbf5f3dc5acdd0ce5
SHA3-384 hash: d0090e21eaffe402b58bb660b87315a01b85501549030e5121373431f23229507c31bb3e7d1abb09389414df05ffe935
SHA1 hash: 9668d375b80f244cfc1f340188e546485b40de29
MD5 hash: 922e83e52f23027ae00d4ef9294d71dd
humanhash: south-nuts-london-magnesium
File name:file
Download: download sample
Signature DanaBot
Create hunting rule
File size:4'052'992 bytes
First seen:2024-01-12 13:05:18 UTC
Last seen:2024-01-12 14:21:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'649 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 98304:+YGMTbZifvqUHjvdmdUZNjXbdXuJvCqtiQ6ovaMO9f:bG2wvZVG2NdXyCqZBvQ
Threatray 48 similar samples on MalwareBazaar
TLSH T16116339DEFE5C323C097C8B6E7C3E38FA2D4E663A502FB184487C455E9A6B7405150AB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8e924c94d3c91c28 (1 x UACModuleSmokeLoader, 1 x DanaBot)
Reporter andretavare5
Tags:DanaBot exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc418490229_670653939?hash=ZjdmycPXRBK9qfzY1RvJgqGzjPX8eRgBiyh9B3NmA7L&dl=T6ijbhZIkQjwGvfJy2pZKfOABxpMuCgAy4uliMSZdT4&api=1&no_preview=1#ab3

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470509/
Detection(s):
SecuriteInfo.com.Win32.BootkitX-gen.131.30826.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/65a1393e8369fab94deb5b4d/reports/5546b681-a666-49b2-9503-f94b09bd3e24/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a809b6ffd9241ec430d4ab5c866566365b642a9e553f811cbf5f3dc5acdd0ce5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de13db02-b006-4968-8824-92dbb9cf0df0
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1373708
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a809b6ffd9241ec430d4ab5c866566365b642a9e553f811cbf5f3dc5acdd0ce5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a809b6ffd9241ec430d4ab5c866566365b642a9e553f811cbf5f3dc5acdd0ce5/
Threat name:
Win32.Rootkit.BootkitX
Create hunting rule
Status:
Malicious
First seen:
2024-01-12 13:06:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
9 of 37 (24.32%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vae3n76zeqpmimguvnoimzlggznwiku6ku7ychf7l464llg5btsq._file
Verdict:
malicious
Similar samples:
0541ef965db2b921d8f8af92f0fb84ee1561d7bb08c94cfb1847da06434f91f7
DanaBot
4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590
DanaBot
611cad21a5fd2a344b7c6b45a78ac771df952c267812f894707d35fce0c59b13
DanaBot
6d0d0bfb0234dfe8b53845a003af0e8dc32f3be55a93a5a0ac7850f24c6df80a
DanaBot
8f5670e8e840235bda7a41acc5df942faa6e995ff5f63d09a5cad39592afaaa1
DanaBot
8ffd4fd0e29d6888e9eaf78a6f698436f8a4477cdba8b6271015f7b012d1f8e0
DanaBot
f57dab60885da9213f24b4896129182cb29ad3bd7be194685b68d61e6357188b
DanaBot
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240112-qb3afsgdhr/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
Unpacked files
SH256 hash:
3b0ffdedf7b7d7de8c27cd762d47745c3f30da72c3712460b50808d095ac13a2
MD5 hash:
25798a993006def73952823198dd474c
SHA1 hash:
aaca34fe331af90e80a1eb795615cf3016f4fe24
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/0a425e71-3fc3-4c07-a1f1-187e76b4ded1/
SH256 hash:
cc01393f66ca3e388ffeed23de8f970d06a1765aaddc945e4e82782c12ae5a83
MD5 hash:
1a45ca70455943433b96d0889986c2cc
SHA1 hash:
6e2e51f16f2f7bdfb1f707568414fd0ea1759ba4
Link:
https://www.unpac.me/results/0a425e71-3fc3-4c07-a1f1-187e76b4ded1/
SH256 hash:
a809b6ffd9241ec430d4ab5c866566365b642a9e553f811cbf5f3dc5acdd0ce5
MD5 hash:
922e83e52f23027ae00d4ef9294d71dd
SHA1 hash:
9668d375b80f244cfc1f340188e546485b40de29
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/0a425e71-3fc3-4c07-a1f1-187e76b4ded1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a809b6ffd924/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a809b6ffd9241ec430d4ab5c866566365b642a9e553f811cbf5f3dc5acdd0ce5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/470509/

Comments