MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5835bcf48839eb68a402761c8474123758bd43d08b81738bbf84620df49e307. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5835bcf48839eb68a402761c8474123758bd43d08b81738bbf84620df49e307
SHA3-384 hash: 038e9983599d6a99dc0447d9332d4f08dfa2a61304313d2e1118d2a8edc57044dfa6def48b613f7311613404ede1a739
SHA1 hash: 0db1c3b2a66c0d34889b673c8df266a31d654d7c
MD5 hash: 99b6edd21a762c8dd15b83688516469e
humanhash: failed-idaho-mexico-grey
File name:SecuriteInfo.com.W32.AIDetect.malware1.12337.2904
Download: download sample
Signature DanaBot
Create hunting rule
File size:690'688 bytes
First seen:2021-07-29 12:46:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae8d52d466f0b65d50fa6d5967396375 (2 x DanaBot, 2 x RedLineStealer, 2 x RaccoonStealer)
ssdeep 12288:YXiyk60+CTsa+mK6AxeyW0En3u/+y8v1NzQpF+lI/acaxXS5VRTx:Ryk60fsF6aPBE3u/ds1OOIV6XS5zd
TLSH T11BE4F130BAA0C035F4B722FC46BA9379742D7A61673450CB62D165EE07386EAEC31797
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware1.12337.2904
Verdict:
Malicious activity
Analysis date:
2021-07-29 12:50:13 UTC
Tags:
stealer trojan
Link:
https://app.any.run/tasks/adc380b9-86f3-4a98-a1fb-3fdd74c63d7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175025/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.12337.2904.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d00da10-a8d8-41a7-908b-6fbff324f3ec
Result
Threat name:
Clipboard Hijacker Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823818
Signature
Antivirus detection for dropped file
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456230 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 81 Multi AV Scanner detection for domain / URL 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 11 other signatures 2->87 11 SecuriteInfo.com.W32.AIDetect.malware1.12337.exe 48 2->11         started        16 SmartClock.exe 2->16         started        18 rundll32.exe 2->18         started        20 SmartClock.exe 2->20         started        process3 dnsIp4 75 winhaf05.top 45.131.46.175, 49736, 49737, 80 NTC-ASRU Russian Federation 11->75 77 ewaqug42.top 51.161.131.125, 49733, 80 OVHFR Canada 11->77 79 2 other IPs or domains 11->79 67 C:\Users\user\AppData\Local\Temp\Filett.exe, PE32 11->67 dropped 69 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 11->69 dropped 107 Detected unpacking (overwrites its own PE header) 11->107 109 Tries to harvest and steal browser information (history, passwords, etc) 11->109 22 Filett.exe 25 11->22         started        26 cmd.exe 1 11->26         started        file5 signatures6 process7 file8 59 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 22->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 22->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 22->63 dropped 65 3 other files (none is malicious) 22->65 dropped 89 Antivirus detection for dropped file 22->89 91 Multi AV Scanner detection for dropped file 22->91 93 Machine Learning detection for dropped file 22->93 28 vpn.exe 1 6 22->28         started        30 4.exe 4 22->30         started        95 Submitted sample is a known malware sample 26->95 97 Obfuscated command line found 26->97 99 Uses ping.exe to sleep 26->99 101 Uses ping.exe to check the status of other devices and networks 26->101 33 conhost.exe 26->33         started        35 timeout.exe 1 26->35         started        signatures9 process10 file11 37 cmd.exe 1 28->37         started        39 cmd.exe 1 28->39         started        71 C:\Users\user\AppData\...\SmartClock.exe, PE32 30->71 dropped 41 SmartClock.exe 30->41         started        process12 process13 43 cmd.exe 3 37->43         started        46 conhost.exe 37->46         started        48 conhost.exe 39->48         started        signatures14 103 Obfuscated command line found 43->103 105 Uses ping.exe to sleep 43->105 50 Mettermi.exe.com 43->50         started        52 findstr.exe 1 43->52         started        54 PING.EXE 1 43->54         started        process15 process16 56 Mettermi.exe.com 50->56         started        dnsIp17 73 HvzRVtijmTzktm.HvzRVtijmTzktm 56->73
Gathering data
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 09:28:18 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwbvxt2iqoplncsae5q4qr2ben2yxvb5bc4boof37bdcbx2j4mdq._file
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot botnet:4 banker discovery persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210729-k9cb42rpmx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Danabot
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
ewaqug42.top
morjau04.top
142.11.244.124:443
142.11.206.50:443
Unpacked files
SH256 hash:
30ec5b29c1fad62bef400ae3e98a8445bfaa4683aa4fb8e874a88d4f4513702d
MD5 hash:
fbcd11bb1573c197ab5b54368b729f09
SHA1 hash:
f52de113e5294623667ae56e9e74a26c879817bb
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/604a5e41-4583-4bec-bbf4-046e8a0eb650/
Parent samples :
c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a
b5835bcf48839eb68a402761c8474123758bd43d08b81738bbf84620df49e307
2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7
SH256 hash:
b5835bcf48839eb68a402761c8474123758bd43d08b81738bbf84620df49e307
MD5 hash:
99b6edd21a762c8dd15b83688516469e
SHA1 hash:
0db1c3b2a66c0d34889b673c8df266a31d654d7c
Link:
https://www.unpac.me/results/604a5e41-4583-4bec-bbf4-046e8a0eb650/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5835bcf48839eb68a402761c8474123758bd43d08b81738bbf84620df49e307

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe b5835bcf48839eb68a402761c8474123758bd43d08b81738bbf84620df49e307

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1485388/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1489477/
Cape
Cape
https://www.capesandbox.com/analysis/175025/

Comments