MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cda8ffa2a84daf8097f5ca919b6b350cd30b697565bbae6d8adbfab217d476e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cda8ffa2a84daf8097f5ca919b6b350cd30b697565bbae6d8adbfab217d476e8
SHA3-384 hash: c6357f4fabc57114e4d8272cf9ee237ff5a27fb0655106f5423e7c0eb782db4e0df4df51eebbb234d6d89b5391c70835
SHA1 hash: 13bf831b6c3999dea0b6db52f1fd95dae08cb6aa
MD5 hash: c494dea14e40bc2522328becb71c2ac6
humanhash: west-virginia-tango-fillet
File name:file
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'040'896 bytes
First seen:2022-11-24 16:32:02 UTC
Last seen:2022-11-24 18:28:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a0f5eee1a1d8df02fd40c6cf3174a3d (6 x Smoke Loader, 3 x RedLineStealer, 2 x Amadey)
ssdeep 24576:81aNasQTghCrmuqdTT088P+HYS60aWCIdbcBVA:8oNJQTaCC9dTT08NHYSEx
Threatray 24 similar samples on MalwareBazaar
TLSH T1CC2523103CC0DCB2D8DA05301624CAA1BFBC69F27E7465A77BAC0A5D9FA12D15B653C7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 24a41370399b9b91 (1 x DanaBot, 1 x Amadey, 1 x CoinMiner)
Reporter jstrosch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-24 16:35:06 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/fe3990a8-6171-4fd4-ae72-025d6673882c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338139/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31812.6246.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Сreating synchronization primitives
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/637f9c8b5be128ac718ead6a/reports/6ac63057-8542-4145-83f6-20471b47b733/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/707f2c5b-c3b7-4ba7-a8c9-777ea55427c2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1120651
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cda8ffa2a84daf8097f5ca919b6b350cd30b697565bbae6d8adbfab217d476e8/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 16:33:08 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwup7ivijwxybf7vzkizw2zvbtjqw2lvmw5243mk3p5lef6uo3ua._file
Verdict:
malicious
Similar samples:
0aedafe02dfc6eb2c72ce586ba7fbd0ccfc8eaeb41c526d5f113b13868a3402f
DanaBot
0f61e4c12e7b1adaef470477741d36eb115d8ec9fb6ad827e6db4104b2d9ca85
DanaBot
1e178cb5d1ceea8f6a38b6ac8c8cf7f930419e89d9d2c161548643dcff600c96
DanaBot
3e95cf2840767ca2dd125e4eea9e00f455fdbd1a981d883e0f177d9eb4115083
DanaBot
79f89252957a5c3a833aea9dcd27aab5b8a21e933c0234b7854c548fe6093e5e
DanaBot
af1a67547b2f20b961904e91abb6032223582774c1f622b49994f70f76cfc9f7
DanaBot
b945d3da38ae64be812672282c821e3aab404ae453e617ca6c2f335b94de0726
DanaBot
ba64ac453d154d8c046addc8e5068452ed2523daff2d5089b11fb57d5f8fa4f1
DanaBot
dd48b654a29ffa4f76904123aeb256369e77d202f7d21773999c2258078ae947
DanaBot
ef6ac2c16346e465017474b1d41940bd74b832256cf21430e73c2ed877b4e7e7
DanaBot
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/221124-t1yv4saf3z/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Sets DLL path for service in the registry
Sets service image path in registry
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b525f94-a007-462e-b901-f6a2b478b8d9
Unpacked files
SH256 hash:
ba2b692a5928ffe136fb3910123d900fc33ec0b351b30b91a8236b7937cb0f14
MD5 hash:
90d4f91ee9e460f960b8c9ab31beff0c
SHA1 hash:
aa6bb6e19a13a5a61194dee37ac6835b3910070a
Link:
https://www.unpac.me/results/2af748bf-8e42-40e8-80d6-2e96f6093d90/
SH256 hash:
11e588140d0ed9790915b4ab82988d6a228c95efe39bdd405b36abb1619e0740
MD5 hash:
c6ded582d3645a6d9ad249587b3b3c66
SHA1 hash:
c63f5eba999f972bd413d3c568d76ff2f1bee752
Link:
https://www.unpac.me/results/2af748bf-8e42-40e8-80d6-2e96f6093d90/
SH256 hash:
cda8ffa2a84daf8097f5ca919b6b350cd30b697565bbae6d8adbfab217d476e8
MD5 hash:
c494dea14e40bc2522328becb71c2ac6
SHA1 hash:
13bf831b6c3999dea0b6db52f1fd95dae08cb6aa
Link:
https://www.unpac.me/results/2af748bf-8e42-40e8-80d6-2e96f6093d90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cda8ffa2a84daf8097f5ca919b6b350cd30b697565bbae6d8adbfab217d476e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe cda8ffa2a84daf8097f5ca919b6b350cd30b697565bbae6d8adbfab217d476e8

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/338139/
  
URLhaus
https://urlhaus.abuse.ch/url/2423260/

Comments