MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94
SHA3-384 hash: 6108d14f6331e9daeaf0e0560562a32deb2d28ee6f0400cab89f8c27ce8976567a143119b2779e5c76e445b05cfeec91
SHA1 hash: beb5c20702d835bb6c3dd05e5f9469536fc616d9
MD5 hash: d363e6725360755d89ea8f29e33a64f9
humanhash: burger-idaho-edward-sixteen
File name:d363e6725360755d89ea8f29e33a64f9
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'053'696 bytes
First seen:2022-04-16 02:23:09 UTC
Last seen:2022-04-20 10:22:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 324598d8e157ef332c75a6946f19434c (5 x DanaBot, 1 x Smoke Loader)
ssdeep 24576:c8ZJfZpT7HnvNcP07vNvh9LaOFliB/hMtKa6gYB:3JfZFTiMjRHaOaB/it7p
Threatray 10'921 similar samples on MalwareBazaar
TLSH T1DC2512A17690C433CBA20D70893DCF90567EB866B9308467E2666B1AFE713C1619D73F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
717
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d363e6725360755d89ea8f29e33a64f9
Verdict:
Suspicious activity
Analysis date:
2022-04-16 02:23:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3c1143d-26d1-4504-ad16-af217baf35c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264042/
Detection(s):
Win.Dropper.Stop-9938042-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13997/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed upatre
Link:
https://www.filescan.io/uploads/625a28c9482f2f41cab93273/reports/cf34b69d-019c-49a8-8b47-6d964ce26185/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5f18db0-f784-4bb4-8b05-6c26d3ec6e46
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/977578
Signature
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610065 Sample: ZsviYvX5x9.exe Startdate: 16/04/2022 Architecture: WINDOWS Score: 96 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected DanaBot stealer dll 2->58 60 Machine Learning detection for sample 2->60 62 2 other signatures 2->62 8 ZsviYvX5x9.exe 3 2->8         started        process3 signatures4 64 Overwrites code with function prologues 8->64 11 rundll32.exe 8->11         started        15 rundll32.exe 13 8->15         started        18 WerFault.exe 16 8->18         started        20 9 other processes 8->20 process5 dnsIp6 46 157.88.76.58, 443, 49771 REDIRISRedIRISAutonomousSystemES Spain 11->46 48 202.167.24.117, 443, 49800 OPENTRANSITFR Singapore 11->48 54 8 other IPs or domains 11->54 66 System process connects to network (likely due to code injection or exploit) 11->66 68 Tries to steal Instant Messenger accounts or passwords 11->68 70 Tries to harvest and steal browser information (history, passwords, etc) 11->70 22 schtasks.exe 11->22         started        24 schtasks.exe 11->24         started        26 schtasks.exe 11->26         started        50 23.254.129.180, 443, 49741, 49763 HOSTWINDSUS United States 15->50 34 C:\Users\user\AppData\Local\Temp\Faqqye.tmp, DOS 15->34 dropped 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 15->74 52 192.168.11.1 unknown unknown 18->52 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->42 dropped 44 6 other malicious files 20->44 dropped file7 signatures8 process9 process10 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 conhost.exe 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2022-04-16 02:24:15 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
17 of 26 (65.38%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqhgkn5ffga7taflqenghqoixn2r2xo4lnsgncrufxo7es6l5oka._file
Verdict:
malicious
Similar samples:
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
DanaBot
343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50
DanaBot
532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28
DanaBot
5cf233d7267a011a4e21064d530fc1b6e80f995b22cf86b29e773d13a463a628
DanaBot
6e33bb5afea750c9d310218cf18796b7e1754332684bf92806ccba081bcc5a69
DanaBot
70bee3fa2bf61c13b1e94ab33d6ac070ef107085c10abb28ccb92e5b6449deee
DanaBot
a0a944db45538f11089813fd89eeed36cdefa6204e52ba305251832ed0045860
DanaBot
c7a4fad10ef66516e492ab30d600be219ea259c4f0a42a3f664ae7b3cd94e2b7
DanaBot
d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645
DanaBot
dcedf234c0f9d6fe3a4392693c82708c70c8e243f42f2e7073d35bd928f3b526
DanaBot
+ 10'911 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220416-cv98hsbca8/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Blocklisted process makes network request
Unpacked files
SH256 hash:
9ff1fc950484269fd9553c3361abcf880082c7c9d4f0421ddc8b5fdcbd1cd638
MD5 hash:
d4e3adf8a352ebdc4546e3d1f62b2f35
SHA1 hash:
2ac653851746ef621422f32a3e45b8c93ef7a171
Link:
https://www.unpac.me/results/a41b71e6-d5d6-4217-ba08-c57d3d0512d5/
SH256 hash:
b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94
MD5 hash:
d363e6725360755d89ea8f29e33a64f9
SHA1 hash:
beb5c20702d835bb6c3dd05e5f9469536fc616d9
Link:
https://www.unpac.me/results/a41b71e6-d5d6-4217-ba08-c57d3d0512d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b40e6537a529/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe b40e6537a52981f980ab811a63c1c8bb751d5ddc5b64668a342dddf24bcbeb94

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2149925/
Cape
Cape
https://www.capesandbox.com/analysis/264042/

Comments


Avatar
zbet commented on 2022-04-16 02:23:13 UTC

url : hxxp://108.62.118.31/hostads.exe