MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca004f3971c503ecb459840848612bd0614b7b40af5ca8616c8936eb075686f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca004f3971c503ecb459840848612bd0614b7b40af5ca8616c8936eb075686f6
SHA3-384 hash: 40c9c9d957ca0648d97ddca86497e787323dbefe7ae72a1a11e2b70290c024ba30574d3df3d807b954f2cfaaee8bd278
SHA1 hash: 7f9d11cf82591e5ccada3a153527aec5251031fd
MD5 hash: 7893d7bddd2bdc61184c82550fa37b86
humanhash: uniform-princess-comet-bluebird
File name:file
Download: download sample
Signature DanaBot
Create hunting rule
File size:4'925'440 bytes
First seen:2023-03-01 22:18:24 UTC
Last seen:2023-03-01 23:28:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c0ec652c968c0f9da09dab12e468adf (2 x RedLineStealer, 2 x Smoke Loader, 1 x DanaBot)
ssdeep 98304:f0brZ7zXRfljDL1eHkt6V0EwnTUA3PPlIp5ndljGp5Gt:f0bxLRfZ/YOPfZ3yp5nPjG3
Threatray 2 similar samples on MalwareBazaar
TLSH T11636331732A53864D8D3D736AC37C9E2CD1F7C554831A39B7A487A5A08766E1C9E8F03
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 916a6a6a6a6a6a70 (19 x RedLineStealer, 18 x Smoke Loader, 3 x Amadey)
Reporter jstrosch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-01 22:19:36 UTC
Tags:
danabot
Link:
https://app.any.run/tasks/891dbe5f-3272-494f-a23d-9630a68ebcef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370985/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.26060.5127.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending an HTTP GET request
Changing a file
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63ffcf58bfec0852a68e4936/reports/851a269c-962e-4c1e-a5c3-709a55758082/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ca004f3971c503ecb459840848612bd0614b7b40af5ca8616c8936eb075686f6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68c05037-1a05-4e38-9c0f-8acb4bd3d045
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1185282
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca004f3971c503ecb459840848612bd0614b7b40af5ca8616c8936eb075686f6/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 22:19:09 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ziae6olryub6znczqqeeqyjl2bquw62av5okqylmre3owb2wq33a._file
Verdict:
malicious
Similar samples:
52beb2a60ca3ecfaddeaf023cba227913ddd4d82f6200fa02f549098966085b6
DanaBot
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230301-18hbnaad66/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
4be3e0e7ee9f23ce7b9f9ed7e440cebc1c90de1fb110ccfe0956be23c47b6300
MD5 hash:
8ff383f3c6c1f8be7bdd4ef4e8c16d64
SHA1 hash:
9b1b7ab309d187adcc94cf1b1df05b9709f0db93
Link:
https://www.unpac.me/results/b2a441e6-ca66-4bd2-bd6b-ad438d99aa62/
SH256 hash:
ca9a31f5f485d413273d5212deb1c852cfcf39ec6b43dc0374b11d25026ef7f4
MD5 hash:
4395f163a6110d71fd140c4216e97328
SHA1 hash:
38e5d82dab8fa888c4b26c349a66a8c6bb94b5b2
Link:
https://www.unpac.me/results/b2a441e6-ca66-4bd2-bd6b-ad438d99aa62/
SH256 hash:
18c854732dfe64fe6c70cc0da326e7ab06dc5df719f9c02e920f6c6722146c7a
MD5 hash:
3fa75a486140d2e86595b7a0234b2c26
SHA1 hash:
1a363d6e3285b5515d3496e35181dc549767d459
Link:
https://www.unpac.me/results/b2a441e6-ca66-4bd2-bd6b-ad438d99aa62/
SH256 hash:
ca004f3971c503ecb459840848612bd0614b7b40af5ca8616c8936eb075686f6
MD5 hash:
7893d7bddd2bdc61184c82550fa37b86
SHA1 hash:
7f9d11cf82591e5ccada3a153527aec5251031fd
Link:
https://www.unpac.me/results/b2a441e6-ca66-4bd2-bd6b-ad438d99aa62/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ca004f3971c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca004f3971c503ecb459840848612bd0614b7b40af5ca8616c8936eb075686f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe ca004f3971c503ecb459840848612bd0614b7b40af5ca8616c8936eb075686f6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/370985/

Comments