MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bde4e9b92feb5f9159a7dac2a92e3464ad5af434b4e8ec7257c04a1aca51ecb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bde4e9b92feb5f9159a7dac2a92e3464ad5af434b4e8ec7257c04a1aca51ecb9
SHA3-384 hash: 21e1596449cb0aae2bfe72e33208ee32022b82b337174de0e0228947f731f786bf272c7d2d623e692f71b05f06625620
SHA1 hash: bbef750b9ab0d44bbd0bc1b673a03187bb082bcd
MD5 hash: d32a94460991a5bd8e32b939892cecb2
humanhash: alaska-delaware-william-arkansas
File name:d32a94460991a5bd8e32b939892cecb2
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'444'032 bytes
First seen:2022-11-01 07:46:21 UTC
Last seen:2022-11-01 09:12:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e369a4548b0ade94747bb92a0b0d2d15 (4 x Amadey, 2 x Smoke Loader, 2 x GCleaner)
ssdeep 196608:+z6Aef+fUoW6vHFWbOnQKKtIN8nibEHv:9AY4W6vlYoQh08nwE
Threatray 203 similar samples on MalwareBazaar
TLSH T17A5633D03334D137C650A9B154B1EEF1BD39AAE6FDF288A33B3406885E756D08D29276
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
504
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
d32a94460991a5bd8e32b939892cecb2
Verdict:
Malicious activity
Analysis date:
2022-11-01 07:48:31 UTC
Tags:
danabot
Link:
https://app.any.run/tasks/49149392-162a-4e4b-b44c-d7bbf8d78d42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/326738/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.7087.16323.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/6360cef8a5db8d309cbc2692/reports/81793781-e99d-437b-8b21-a35f140697db/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea6167bd-5dd2-4cbb-a340-e09a93bd39a8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1102347
Signature
Antivirus detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bde4e9b92feb5f9159a7dac2a92e3464ad5af434b4e8ec7257c04a1aca51ecb9/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 07:47:20 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxsotojp5npzcwnh3lbkslrumswvv5buwtuoy4sxybfbvssr5s4q._file
Verdict:
malicious
Similar samples:
0cd136e0a7628089da863f7d0d746d5cc91b81ff9d1e523157e965f71cecc12c
DanaBot
0f295d377540773127f73cf21c555c0358b8e28d8e74307535dd41839bf78f2b
DanaBot
1206052fbaa8552d703b6913ca35eb4f9653ea935048476b2ea7e92a439163e1
DanaBot
6fcf81aa7d7b438c05fa2775b8a242de17de89cf84d2189e6e6e44f095195502
DanaBot
711d37b4962ad4756eadd8b899c296cd7d43326f0d70f35854b7955439fa8c3b
DanaBot
aa3dc95a5c847c3d25a8d298face426e07346025f1ba81bf2557163df03bdae2
DanaBot
d79f5e45a2fbd17a0d356f6a98ff3055feaa93386e96eaca0cc09fe102fa6b64
DanaBot
dab2b4dd7e40fcb026d0815a5fd4fcf94e3b47dada1c0be92cd893d9cd4b833c
DanaBot
f767e0a0d19a0e1a3788cdd2ff6468fe08add55cdcc469ea54b1ce59c6aeaa20
DanaBot
fb1bd527586e3a82d89891d4dc6b925ec1d9ba75110bef638ff852bc14e0496f
DanaBot
+ 193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221101-jmjh6ahde7/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
3be7fdf15532ca882ebd881a280db8288a5217926a7d2afa219582ae87ae7bf5
MD5 hash:
78b311ba2e1d3f24e7710eb4809bcb98
SHA1 hash:
c52ed9518f32d44f228addd3dec56f4207e72a75
Link:
https://www.unpac.me/results/78b74e4a-827d-45c0-860a-674226fcabdf/
SH256 hash:
1e0ed2ee99195ef2a03317d2a8052923568c26dc732b625b4e3cff6db1e1f455
MD5 hash:
753e816f108da0a7910094e3247fb762
SHA1 hash:
797b006812c54cff63791894230567d305f60d61
Link:
https://www.unpac.me/results/78b74e4a-827d-45c0-860a-674226fcabdf/
SH256 hash:
7e97a3f515fc44c72a7ffa37405ec76e792f2521f0dfb76e79f07e291757cd28
MD5 hash:
26861b614a0115971b6afac459b9bad9
SHA1 hash:
fc32e3ef7f4ca081c061f047019e5d3f90dcd798
Link:
https://www.unpac.me/results/78b74e4a-827d-45c0-860a-674226fcabdf/
SH256 hash:
bde4e9b92feb5f9159a7dac2a92e3464ad5af434b4e8ec7257c04a1aca51ecb9
MD5 hash:
d32a94460991a5bd8e32b939892cecb2
SHA1 hash:
bbef750b9ab0d44bbd0bc1b673a03187bb082bcd
Link:
https://www.unpac.me/results/78b74e4a-827d-45c0-860a-674226fcabdf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bde4e9b92feb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bde4e9b92feb5f9159a7dac2a92e3464ad5af434b4e8ec7257c04a1aca51ecb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe bde4e9b92feb5f9159a7dac2a92e3464ad5af434b4e8ec7257c04a1aca51ecb9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2393374/
Cape
Cape
https://www.capesandbox.com/analysis/326738/

Comments


Avatar
zbet commented on 2022-11-01 07:46:24 UTC

url : hxxp://146.19.173.31/nlaawi.exe