MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287
SHA3-384 hash: d9f0e08791bafea496457f788cd2f9ffdf62952bf53d1cb004d36b89b297ca95d3b5b862677975df4504b07f8310a9ec
SHA1 hash: 6a20579a45b96c36ee914627fa166f5b6fca331c
MD5 hash: 53731cbdca75b9b954863239e3941036
humanhash: missouri-uniform-blue-uranus
File name:53731cbdca75b9b954863239e3941036.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'138'688 bytes
First seen:2022-04-26 04:39:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f2673d9c17d44833382f98a82bef63bb (3 x RedLineStealer, 3 x DanaBot, 2 x Loki)
ssdeep 24576:UXoQKeoAVPCnT0GaVpBPXTlNRWCa1dO2BHZ5Q/FjHTu8R41:JeoAVPiTGPNsCQO2Bw/JZ4
TLSH T11D3512907660D039E1B752F4B979D6A8353EBCA08B3451CB22CA3BCE5A396C0DCB5357
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
653
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266620/
Detection(s):
Win.Packed.Botx-9946537-0
Create hunting rule

Win.Packed.Stopcrypt-9946546-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/626777aed0223acc86f0bdab/reports/c304bd87-63c0-47a6-a6f4-8e34c7e746ce/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c72135ab-9f7f-4501-8b49-4dbfba9caa48
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982904
Signature
Delayed program exit found
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Yara detected DanaBot stealer dll
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615389 Sample: jECYNo2Ke8.exe Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected UAC Bypass using CMSTP 2->44 46 4 other signatures 2->46 6 jECYNo2Ke8.exe 3 2->6         started        process3 signatures4 48 Overwrites code with function prologues 6->48 9 rundll32.exe 6->9         started        13 rundll32.exe 13 6->13         started        16 WerFault.exe 16 6->16         started        18 9 other processes 6->18 process5 dnsIp6 32 22.239.125.105, 443, 49770 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->32 34 113.252.23.2, 443, 49778 HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK Hong Kong 9->34 38 7 other IPs or domains 9->38 50 System process connects to network (likely due to code injection or exploit) 9->50 52 Tries to steal Instant Messenger accounts or passwords 9->52 54 Tries to harvest and steal browser information (history, passwords, etc) 9->54 36 192.236.176.108, 443, 49733, 49766 HOSTWINDSUS United States 13->36 20 C:\Users\user\AppData\Local\...\Teheaotp.tmp, DOS 13->20 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->56 58 Delayed program exit found 13->58 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->28 dropped 30 6 other malicious files 18->30 dropped file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 04:40:12 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/220426-fajfvafbbp/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
9745fb1b8f04c96899eedb855636bd4e1d50a80e5a3c50d088713cf20ad728d2
MD5 hash:
143e661b87b0bb340eed6a444cf55eef
SHA1 hash:
fdd3076dedadba9d4f0270c072bda055d0eb8fe4
Link:
https://www.unpac.me/results/5638d33b-373d-4037-8b9d-bbb59a3c3e4c/
SH256 hash:
bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287
MD5 hash:
53731cbdca75b9b954863239e3941036
SHA1 hash:
6a20579a45b96c36ee914627fa166f5b6fca331c
Link:
https://www.unpac.me/results/5638d33b-373d-4037-8b9d-bbb59a3c3e4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb
Create hunting rule
Author:@stvemillertime
Description:Searching for PE files with PDB path keywords, terms or anomalies.
Rule name:pdb2
Create hunting rule
Rule name:win_danabot
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2163581/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/266620/

Comments