MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8e8ac7c8c5e8260b41895070f809f4e817c936ad6877dbacf6f7f963abba250. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8e8ac7c8c5e8260b41895070f809f4e817c936ad6877dbacf6f7f963abba250
SHA3-384 hash: 25bfbf9f3ec72df9f27bfa8f24652b207a0d2ca71ad23f9fce6b7cad5da2178e616c5c425fc701e45e9516f518f1d7dc
SHA1 hash: 7dde3d79a69c349f6387b32fe2b954d17d11c16f
MD5 hash: 171ef0a970c53b4683161294c33ca675
humanhash: nuts-hydrogen-montana-edward
File name:171ef0a970c53b4683161294c33ca675.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'916'288 bytes
First seen:2023-01-06 20:31:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d867c02dc6ceef6a81418a96f016676b (9 x Smoke Loader, 6 x RedLineStealer, 3 x CoinMiner)
ssdeep 98304:2OvOLbzBPD7YNiQcEP+LWvzMBb4b5z/rreW9RqSmCw7Eaw1G5Zb:Lv+zpDEAQcEP+LWwZi5LPdRq779Ya
Threatray 455 similar samples on MalwareBazaar
TLSH T1FA0633923882F87ECA74153455A1FED0253CB4320D396A87263A5E0FBEF03F5A5EE152
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3c7c14b4a4948dc0 (1 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
171ef0a970c53b4683161294c33ca675.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 20:39:59 UTC
Tags:
danabot stealer
Link:
https://app.any.run/tasks/029af1e6-780e-4caf-be89-7730dde32b44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350272/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63b8854c40e878e304234108/reports/da5cfd06-f168-4ce2-a57a-3176268ef6a9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/116f7ae0-fcee-49b3-b342-ff9c64eb566b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1146702
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8e8ac7c8c5e8260b41895070f809f4e817c936ad6877dbacf6f7f963abba250/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2023-01-06 13:10:15 UTC
File Type:
PE (Exe)
Extracted files:
60
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vduky7eml2bgbnaysudq7ae7j2axze3k22dx3owpn57zmov3ujia._file
Verdict:
malicious
Similar samples:
045d257fff1a2678715e67b6ce278456bd264514598fd51a3fc8023d58f64c3a
DanaBot
0909322dede6d2639bc5aba3de6bbe4a6b9552df002547378c35629b1ceefedf
DanaBot
2ee350a3c3c03283a1458ff5e3e142d91b46a8fecd846ec8df0d1edca7c1e4cf
DanaBot
428c1c48e636421a85235a35b5228472e5441ca9b60eb9bd776a182fbaa9f1b7
DanaBot
4ba96ecdcdfa746de28a0ee3ef474842e829917c9486ace35ec4cc2fa1ad956f
DanaBot
5aa3feae8dfef7ef4aafe4526474b7ddbd325b6f32d02c68fb8a2d441730fab2
DanaBot
81dda2ffa7d1039d3b745540573c6e8c728584d536a449f5baa031fb40fc065d
DanaBot
c1caac58e614931c517666747eec84548ca762fff9744c47ed6cfe162c511331
DanaBot
fa42f6e86a7c3c5cbea6799e374f7eb05c6ebbe618a1499616197da5bc6f437f
DanaBot
fbd172f7f6c9e4b8c915d7ff24d40ddcad456223407e383b2230f24e046031bb
DanaBot
+ 445 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230106-zbad4sfc6t/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
35c37a51190bf7ea125004b3e02cb32ee38995fa6023531d4c5d6805a95d4b1f
MD5 hash:
ccb9fda0d5198aae0bc29a10feff5073
SHA1 hash:
054acf127802782ab9c88cb05141c51b5e43c51f
Link:
https://www.unpac.me/results/de9773ed-cb55-4f00-9035-51d60e5e2482/
SH256 hash:
8eda87fe048f780ccd14da39c6fe57e89dde6e9fbe7cdcfe9b792fcc5cf1d222
MD5 hash:
3270e74013ed9a2854e85d353432cde6
SHA1 hash:
611c8bb8b6c4ab4630bbe5d583973a9688660fc9
Link:
https://www.unpac.me/results/de9773ed-cb55-4f00-9035-51d60e5e2482/
SH256 hash:
a8e8ac7c8c5e8260b41895070f809f4e817c936ad6877dbacf6f7f963abba250
MD5 hash:
171ef0a970c53b4683161294c33ca675
SHA1 hash:
7dde3d79a69c349f6387b32fe2b954d17d11c16f
Link:
https://www.unpac.me/results/de9773ed-cb55-4f00-9035-51d60e5e2482/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8e8ac7c8c5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8e8ac7c8c5e8260b41895070f809f4e817c936ad6877dbacf6f7f963abba250

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe a8e8ac7c8c5e8260b41895070f809f4e817c936ad6877dbacf6f7f963abba250

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2498617/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/350272/

Comments