MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb80c22b017b9fd4dca39fce6b2385fec80c3f8fed1412b859adb09f109f4509. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb80c22b017b9fd4dca39fce6b2385fec80c3f8fed1412b859adb09f109f4509
SHA3-384 hash: 4d5ca4fe1adfa4907d0ac167efb069ccbabda3bf603ccfe44e67e66657b298ab4882b4546eda60d03db46eb440690a97
SHA1 hash: 7d5797deae6083172684c7e91cbca672acc2fc10
MD5 hash: 01c59d772e6853b9a031c2a6070028b1
humanhash: moon-butter-coffee-blue
File name:01c59d772e6853b9a031c2a6070028b1.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'998'208 bytes
First seen:2023-01-21 08:19:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f59055ddf5d9b2bfdec5b43ba63509a2 (12 x Smoke Loader, 5 x CoinMiner, 3 x Tofsee)
ssdeep 98304:C24jiRdvoykX2PS3UOo75ItTlVbzVU2dNAxfWtH:C24lv2PSkOo75I9z38O
TLSH T14506233165A2B850DB2ACA73CD19D2F0EDBDB454F910AB271E394E5F1EF08B5856F280
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a83c94a4a49484c0 (1 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01c59d772e6853b9a031c2a6070028b1.exe
Verdict:
Malicious activity
Analysis date:
2023-01-21 08:22:17 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/be90c833-bfcc-41d2-8542-8dd9fe35e925

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355292/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
glupteba greyware lockbit mikey packed
Link:
https://www.filescan.io/uploads/63cba0351c9cbf7d6250ee23/reports/115273ef-edfa-4a3e-8dda-5a385e12a05f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f77419e-d4eb-43b4-b9b3-76158788ceba
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/1156113
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb80c22b017b9fd4dca39fce6b2385fec80c3f8fed1412b859adb09f109f4509/
Threat name:
Win32.Trojan.Mikey
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 23:01:23 UTC
AV detection:
20 of 39 (51.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zoamekybpop5jxfdt7hgwi4f73eayp4p5ukbfoczvwyj6ee7iueq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/230121-j8e3vsde7y/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Blocklisted process makes network request
Sets DLL path for service in the registry
Sets service image path in registry
Unpacked files
SH256 hash:
4868b0477f05cf0e4a56c6e7da1124b2519dbec3b294c717c44d45a276c07eec
MD5 hash:
8da5c6445f0a8cfed2fcd2e7d9ab0ce7
SHA1 hash:
966dfc53abafdf9e81cb5266b1ae4056ebde623b
Link:
https://www.unpac.me/results/c12ce144-3084-4f95-bf59-41ffd2de522f/
SH256 hash:
69fe521b2fc016441e1e875c2d017fc88d23702c5c88b47f7e98aa529e7c9180
MD5 hash:
29b2695d84413e574ace9d5f14e8b442
SHA1 hash:
5b3a609bb3d40236219f99b0090672f168177aac
Link:
https://www.unpac.me/results/c12ce144-3084-4f95-bf59-41ffd2de522f/
SH256 hash:
8e4133a7875ca25915a553b4479bcdc51e36268b29e458112e10a168784539a6
MD5 hash:
9048560a1a6dae1a20f06b3202c3c385
SHA1 hash:
1c3122a9cdeedd8b6f6dfb459130adeecce36934
Link:
https://www.unpac.me/results/c12ce144-3084-4f95-bf59-41ffd2de522f/
SH256 hash:
cb80c22b017b9fd4dca39fce6b2385fec80c3f8fed1412b859adb09f109f4509
MD5 hash:
01c59d772e6853b9a031c2a6070028b1
SHA1 hash:
7d5797deae6083172684c7e91cbca672acc2fc10
Link:
https://www.unpac.me/results/c12ce144-3084-4f95-bf59-41ffd2de522f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb80c22b017b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb80c22b017b9fd4dca39fce6b2385fec80c3f8fed1412b859adb09f109f4509

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe cb80c22b017b9fd4dca39fce6b2385fec80c3f8fed1412b859adb09f109f4509

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/355292/
  
URLhaus
https://urlhaus.abuse.ch/url/2513703/
  
Delivery method
Distributed via web download

Comments