MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d20393005bd47dc79acbf72c5f032a208c33aebb7f76f7bf01b69218161a1232. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d20393005bd47dc79acbf72c5f032a208c33aebb7f76f7bf01b69218161a1232
SHA3-384 hash: 61298fa7fa7eff75d7a7a38fbeb598861f04fac412cf77d4394d1bd0f918a5f635fa5c3ee142f72436f136f8726a49be
SHA1 hash: 807e70160b1286c6497319f951ee562cffde60ee
MD5 hash: 38ac065e7720adce43a7d2722f8f3c7c
humanhash: lemon-tennis-venus-bakerloo
File name:38ac065e7720adce43a7d2722f8f3c7c.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'138'176 bytes
First seen:2021-06-19 06:09:35 UTC
Last seen:2021-06-19 06:39:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7b1dc6cbb65eee334207b62238bf5f24 (2 x RedLineStealer, 2 x RaccoonStealer, 1 x Stop)
ssdeep 24576:WIEeLp4/84w7IS3uz7JOkVRZkncXHVdtjUyQNmP9H88:M/eXu3JOkVRyncXHVPUt8
Threatray 2'054 similar samples on MalwareBazaar
TLSH C3351200E6A1C039E4B713F4546D97A8BB2C3EB19B2450CF93E959EA9634AF0ED31747
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
38ac065e7720adce43a7d2722f8f3c7c.exe
Verdict:
Malicious activity
Analysis date:
2021-06-19 06:30:06 UTC
Tags:
trojan danabot stealer
Link:
https://app.any.run/tasks/426cf74f-f149-468c-a3fe-e810b9304a2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166992/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37121421.29665.22304.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb09d61f-4234-4d43-adf5-c48801d05879
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/804678
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437089 Sample: 0LoITsdQo6.exe Startdate: 19/06/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for submitted file 2->42 44 Machine Learning detection for sample 2->44 9 0LoITsdQo6.exe 1 2->9         started        process3 signatures4 54 Detected unpacking (changes PE section rights) 9->54 56 Detected unpacking (overwrites its own PE header) 9->56 12 rundll32.exe 6 9->12         started        process5 dnsIp6 40 66.85.185.120, 443, 49719, 49742 SSASN2US United States 12->40 34 C:\Users\user\Desktop\0LoITsdQo6.exe, data 12->34 dropped 36 C:\ProgramData\lauvhfdchyoek\jhakldcgpv.tmp, PE32 12->36 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->58 60 Bypasses PowerShell execution policy 12->60 17 rundll32.exe 10 23 12->17         started        file7 signatures8 process9 dnsIp10 38 127.0.0.1 unknown unknown 17->38 30 C:\Users\user\AppData\...\tmpFBC4.tmp.ps1, ASCII 17->30 dropped 32 C:\ProgramData\lauvhfdchyoek\Sfnth.tmp, DOS 17->32 dropped 46 System process connects to network (likely due to code injection or exploit) 17->46 48 Tries to harvest and steal browser information (history, passwords, etc) 17->48 50 Sets a proxy for the internet explorer 17->50 52 Enables a proxy for the internet explorer 17->52 22 powershell.exe 16 17->22         started        24 powershell.exe 5 17->24         started        file11 signatures12 process13 process14 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d20393005bd47dc79acbf72c5f032a208c33aebb7f76f7bf01b69218161a1232/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 23:58:53 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ibzgac32r64pgwl64wf6azkecgdhlv3p53pppybw2jbqfq2ciza._file
Verdict:
malicious
Similar samples:
0e28b97dc1ae0e9af704ff2fa7761c8c35b5b76f136fe14883e84906ed1304ed
DanaBot
1916cceb86e4b64ec370d958a099114c36b3b4fe16c9e27c7935b2aadd3c8ed6
DanaBot
26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4
DanaBot
31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0
DanaBot
36dbcbd2fd7ca9dce07e4fb345b4e2f08bc514a8ecd776a2212a3897e9e6ef55
DanaBot
4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55
DanaBot
71bef343c030a099a182448091052c9788988251e1e9e3236cb27b53a5bd318f
DanaBot
777196a3c6dba0ed8fd4f71c26ffda24348ee7e0daf2d135b2cd49a36f524e5e
DanaBot
e084dd63e194fc150dfa439ab805ed2efc631397a40741cfcc789180c42b0515
DanaBot
ffa75b8f967bd35526e421be427fd7b9009fc7faba064454ba99228381ccc1ff
DanaBot
+ 2'044 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210619-685yfygk16/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
1be3c07ea10ea68d76d1114da5c11315ea4cf2cb2b2b2e8856da920db29a7c82
MD5 hash:
2df1c7f999196f539ff7792b7668ab5e
SHA1 hash:
b87cbacbcc7d5e70deff142300240a9efd185ae4
Link:
https://www.unpac.me/results/7d9ae8ed-4d59-4170-81f8-5a2b896dc445/
SH256 hash:
7c971d00f52d10bc471a38acd4da5067036f969671a1b36ed1350ff56ad98f4d
MD5 hash:
684a8d06f30a6fa533aa981efd1c786e
SHA1 hash:
b4672ff46b276977977f5bdb93f7b4a7c03041cf
Link:
https://www.unpac.me/results/7d9ae8ed-4d59-4170-81f8-5a2b896dc445/
SH256 hash:
d20393005bd47dc79acbf72c5f032a208c33aebb7f76f7bf01b69218161a1232
MD5 hash:
38ac065e7720adce43a7d2722f8f3c7c
SHA1 hash:
807e70160b1286c6497319f951ee562cffde60ee
Link:
https://www.unpac.me/results/7d9ae8ed-4d59-4170-81f8-5a2b896dc445/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d20393005bd47dc79acbf72c5f032a208c33aebb7f76f7bf01b69218161a1232

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe d20393005bd47dc79acbf72c5f032a208c33aebb7f76f7bf01b69218161a1232

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/166992/
  
URLhaus
https://urlhaus.abuse.ch/url/1271412/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1338483/

Comments