MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa3dc95a5c847c3d25a8d298face426e07346025f1ba81bf2557163df03bdae2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa3dc95a5c847c3d25a8d298face426e07346025f1ba81bf2557163df03bdae2
SHA3-384 hash: 6bd1faab7d9a4968fdca0bb27dbe311d823022cfefc55caddda75547bd4ec866f081cdf0b12b7bce0a09a7fa8fccd551
SHA1 hash: 3304972ce84e9c68ff0b9415acb38488a6798c06
MD5 hash: fa68217b3f5f8f1eeaedfe6f001889d2
humanhash: nitrogen-three-alaska-oxygen
File name:fa68217b3f5f8f1eeaedfe6f001889d2.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'351'872 bytes
First seen:2022-11-01 06:33:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 10ce3284b173905769c417d613af74dd (6 x Amadey, 4 x Smoke Loader, 3 x RedLineStealer)
ssdeep 98304:zzD5WM7TvMk5LGAHzVIvr+r7Ss8B0ITmeVM1mTyLPpXrMqr6X59VPGOlgb:vlR755LGGVIdB7/yNXZYfVP8
Threatray 425 similar samples on MalwareBazaar
TLSH T1985633333999C636C3C612394461F1E223CBAA5119B3DDA73FD21D6C0F692E69B5630B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8d8c8c8e0e4a099 (13 x Amadey, 12 x RedLineStealer, 10 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
fa68217b3f5f8f1eeaedfe6f001889d2.exe
Verdict:
Malicious activity
Analysis date:
2022-11-01 06:42:16 UTC
Tags:
danabot
Link:
https://app.any.run/tasks/ee3f0048-6484-4486-a075-4617188a83c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326698/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.28430.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6360bddcce1f43143c2a466a/reports/50cedd76-ccd1-481d-a654-263e8ddaa113/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e316de10-d9fa-46e7-88d5-8fc65793ded5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1102287
Signature
Antivirus detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa3dc95a5c847c3d25a8d298face426e07346025f1ba81bf2557163df03bdae2/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2022-10-31 21:27:37 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vi64sws4qr6d2jni2kmpvtscnydtiybf6g5idpzfk4ld34b33lra._file
Verdict:
malicious
Similar samples:
0f295d377540773127f73cf21c555c0358b8e28d8e74307535dd41839bf78f2b
DanaBot
1206052fbaa8552d703b6913ca35eb4f9653ea935048476b2ea7e92a439163e1
DanaBot
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
DanaBot
5388b531f6d52bb164dbb60d11e016b0ce99edbd71b98422061f641dbedb242e
DanaBot
5a887c05193d46c6ef71ea39ca0b764db4f717d5bc994c778c9d2676978f3483
DanaBot
bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287
DanaBot
c7a4fad10ef66516e492ab30d600be219ea259c4f0a42a3f664ae7b3cd94e2b7
DanaBot
ea315e9e65af9d1d95ac0636abde389107bb131f99e9eeac2dd16821be1ba888
DanaBot
f767e0a0d19a0e1a3788cdd2ff6468fe08add55cdcc469ea54b1ce59c6aeaa20
DanaBot
+ 415 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221101-hbtpbahhbp/
Behaviour
Checks processor information in registry
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
931bb061cdec88ce0f3e665b85f2da2ce3ead0b847973dc8642d061318f4454c
MD5 hash:
cc0ef4e8889352dca3c12d1a233eaa5a
SHA1 hash:
21c3087380423c44fc39d734d48e1157be910e93
Link:
https://www.unpac.me/results/74e3c082-046c-4fb9-88ab-ec068be4bc22/
SH256 hash:
1e0ed2ee99195ef2a03317d2a8052923568c26dc732b625b4e3cff6db1e1f455
MD5 hash:
753e816f108da0a7910094e3247fb762
SHA1 hash:
797b006812c54cff63791894230567d305f60d61
Link:
https://www.unpac.me/results/74e3c082-046c-4fb9-88ab-ec068be4bc22/
SH256 hash:
1fcf313ea6312de0b55e36d8ae7b881b2c5bfaddda7a32f9910ac83133aae90b
MD5 hash:
a95657e240c35d1652cd9297d333f9c2
SHA1 hash:
7de8c8efff60264b36bd9ddeebfe5b3998400b69
Link:
https://www.unpac.me/results/74e3c082-046c-4fb9-88ab-ec068be4bc22/
SH256 hash:
aa3dc95a5c847c3d25a8d298face426e07346025f1ba81bf2557163df03bdae2
MD5 hash:
fa68217b3f5f8f1eeaedfe6f001889d2
SHA1 hash:
3304972ce84e9c68ff0b9415acb38488a6798c06
Link:
https://www.unpac.me/results/74e3c082-046c-4fb9-88ab-ec068be4bc22/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa3dc95a5c84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa3dc95a5c847c3d25a8d298face426e07346025f1ba81bf2557163df03bdae2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/326698/

Comments