MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 8

Intelligence 8 IOCs YARA 11 File information Comments

SHA256 hash:	c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d
SHA3-384 hash:	2cce14b6f0f9bc1b9bb5279bf9e7b3c5c0d06ad58a2760fc4e13e306ad428618c4f1a91acee57e4b5fa1d4ebbb9c96a9
SHA1 hash:	7c156e5701b0cf7eaf3a38cc1f5f68992bfe62f8
MD5 hash:	c55a1a3a135dcc3a771ea4648862a202
humanhash:	asparagus-violet-hydrogen-hotel
File name:	c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d.bin
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	4'591'616 bytes
First seen:	2021-01-25 14:37:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f1f6d93d68be901a0f8e8f9c68c8e208 (2 x Smoke Loader, 1 x CryptBot, 1 x DanaBot)
ssdeep	98304:4OtxgEKjQcf+Hdzbfd56/kzkv6iS+KZHQ029ETbnsFaK0ua1fe1NjmWkiYi5FE93:4kgdjDazrP6szkvqwl3aK09fUVHZSo6J
Threatray	4 similar samples on MalwareBazaar
TLSH	AF262391801D6DECEED16870662FE9F4CA0D78D2DDA570227D06C6DCB9B39C2D29234B
Reporter	tildedennis
Tags:	DanaBot

Intelligence

File Origin

# of uploads :

# of downloads :

562

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

drama.exe

Verdict:

Malicious activity

Analysis date:

2021-01-01 22:39:34 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/63502de5-fd2e-45b5-9656-725193ac7ae8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/113726/

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Malware.FickerStealer-9819303-1

Win.Packed.Bulz-9820362-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file

Launching a process

Creating a process with a hidden window

Modifying an executable file

Creating a file in the %temp% directory

Creating a window

Changing a file

Connection attempt

Connection attempt to an infection source

Infecting executable files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spre.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/589771

Signature

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-01-02 02:30:19 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ydvyalzzjz2y3jh6wdlmhoaxx4pwjcakxg6ikgjx2xxxoqlblboq._file

Verdict:

suspicious

DanaBot

5b1bdf919d0e72fd01aedb1db47b62bbec1fcee7b3fdd9d8856bb39f72f0027f

DanaBot

81b267cb792ea2bff433a3b458a20fb064b092e65d08dabc1844f225a04191d2

DanaBot

83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43

DanaBot

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware upx

Link:

https://tria.ge/reports/210125-x8xjd47fja/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks installed software on the system

Drops desktop.ini file(s)

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Unpacked files

SH256 hash:

e5883c440d9b4b0d06369665a825e70152fe796f8d16077b0a884b8bc23300fc

MD5 hash:

97687a78eced7b16640a2b02da73518b

SHA1 hash:

35956359cf25ea197f9ea0a0c76346aa8b34f6a8

Link:

https://www.unpac.me/results/77614300-3829-44b7-8bc0-a31d7354c081/

SH256 hash:

1eec3a24d1ec2ee85411f0988b4743dd1548a7646bd7de2260889debb6e81e0b

MD5 hash:

2a8051522d0694fdb4e792ba91c0c246

SHA1 hash:

2469ab27c8f00e7f8aaec1e2e409ad1483849db1

Link:

https://www.unpac.me/results/77614300-3829-44b7-8bc0-a31d7354c081/

SH256 hash:

9b1ae4317956215ba51e7d37a5f082626628f33f8ae868d969e9b56682c276ef

MD5 hash:

f26f748189e89ba787e8a68284689617

SHA1 hash:

48ec327fadb4065f3d0e37f76201344971e1468f

Link:

https://www.unpac.me/results/77614300-3829-44b7-8bc0-a31d7354c081/

SH256 hash:

001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af

MD5 hash:

b3ac1bb9077189033e3d426090d86155

SHA1 hash:

dae9827f34d94179aa956c12012b3472c8a74fb3

Link:

https://www.unpac.me/results/77614300-3829-44b7-8bc0-a31d7354c081/

SH256 hash:

06ffa4957b170084604546dc16303a288ae1fb611d744a50ea439a59356467a4

MD5 hash:

30bcab2e7ad119be1942a8c5fcec9892

SHA1 hash:

1d5804b2ab563f002d6ebbfcfc08ecad1073d714

Link:

https://www.unpac.me/results/77614300-3829-44b7-8bc0-a31d7354c081/

SH256 hash:

c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d

MD5 hash:

c55a1a3a135dcc3a771ea4648862a202

SHA1 hash:

7c156e5701b0cf7eaf3a38cc1f5f68992bfe62f8

Link:

https://www.unpac.me/results/77614300-3829-44b7-8bc0-a31d7354c081/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Glupteba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	hunt_skyproj_backdoor Create hunting rule
Author:	SBousseaden
Reference:	https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	@ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Stealer_word_in_memory Create hunting rule
Author:	James_inthe_box
Description:	The actual word stealer in memory

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/113726/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample