MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17
SHA3-384 hash: 70f6e2f18e4e64a88ec70696c0ed6aa59b6c411638f9bc17f241d0fa22a0ee94012b40c554e6f0410d31520a9a42bc00
SHA1 hash: 195fbff2221ada0100e794edfd9b93ad0c11ff59
MD5 hash: de84d306ca9d35321f98a6d26fc35275
humanhash: oregon-nevada-sodium-maine
File name:SecuriteInfo.com.W32.AIDetect.malware2.6699.32027
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'135'296 bytes
First seen:2021-03-07 14:41:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d125c0f965ce4fb92e7bf06e2d14bc41 (1 x DanaBot)
ssdeep 98304:IISMexDp8w3R+loGKSybggVzJwSvpHXMn4Wgi1I0y2qQ1:KHCy0IbvpH8nd91Xy2qU
TLSH D1563314556CA5F2E0B8ABBC142A52B1192BFC8C5748F5CB379C3E4E9B3C1C932725DA
Reporter SecuriteInfoCom
Tags:DanaBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
478
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.6699.32027
Verdict:
Suspicious activity
Analysis date:
2021-03-07 14:43:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de899ffc-e1be-4e3e-b952-a162e93cee2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122693/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6699.32027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Changing a file
Modifying an executable file
Creating a file in the %temp% directory
Sending a custom TCP request
Reading critical registry keys
Forced system process termination
Connection attempt
Infecting executable files
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630623
Signature
Bypasses PowerShell execution policy
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 364281 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 07/03/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected DanaBot stealer dll 2->55 57 Machine Learning detection for sample 2->57 59 4 other signatures 2->59 9 SecuriteInfo.com.W32.AIDetect.malware2.6699.exe 1 2->9         started        process3 file4 45 C:\Users\user\Desktop\SECURI~1.EXE.dll, PE32 9->45 dropped 67 Detected unpacking (changes PE section rights) 9->67 69 Detected unpacking (overwrites its own PE header) 9->69 13 rundll32.exe 9->13         started        signatures5 process6 signatures7 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->71 73 Contains functionality to steal Internet Explorer form passwords 13->73 16 rundll32.exe 8 24 13->16         started        process8 dnsIp9 47 142.44.224.16, 443, 49707 OVHFR Canada 16->47 41 C:\Users\user\AppData\...\tmpA67B.tmp.ps1, ASCII 16->41 dropped 43 C:\Users\user\AppData\Local\...\Web Data, SQLite 16->43 dropped 61 System process connects to network (likely due to code injection or exploit) 16->61 63 Tries to harvest and steal browser information (history, passwords, etc) 16->63 21 powershell.exe 14 16->21         started        24 powershell.exe 16 16->24         started        26 schtasks.exe 1 16->26         started        28 schtasks.exe 1 16->28         started        file10 signatures11 process12 signatures13 65 Uses nslookup.exe to query domains 21->65 30 nslookup.exe 1 21->30         started        33 conhost.exe 21->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 conhost.exe 28->39         started        process14 dnsIp15 49 8.8.8.8.in-addr.arpa 30->49 51 localhost 30->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2021-03-07 14:42:07 UTC
AV detection:
16 of 48 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2k5bqnmld3n2yxg3q5lwcnt4434i54hgdv2jgv5clgmi2forxqlq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210307-2tes8lr83a/
Unpacked files
SH256 hash:
d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17
MD5 hash:
de84d306ca9d35321f98a6d26fc35275
SHA1 hash:
195fbff2221ada0100e794edfd9b93ad0c11ff59
Link:
https://www.unpac.me/results/3afd0d1a-e052-4bc5-a779-32b785968eb8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
IstartSurf
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1044931/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1052337/
Cape
Cape
https://www.capesandbox.com/analysis/122693/

Comments