MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d803474f276d6a116f53136d486a257bf6414a5c4393aa83793bc77a4124afd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d803474f276d6a116f53136d486a257bf6414a5c4393aa83793bc77a4124afd2
SHA3-384 hash: 009e7e7da9300fafaa601f52dbdeec241c82eda79d6e552802380c0f5e69ae6ee71d3bb441cf2cb6af9faef223ddc053
SHA1 hash: 0130ffae937976b40bb295ce04208980f52aabc2
MD5 hash: e6305f7275215b0ed6c8e91c4dcc9079
humanhash: twelve-emma-hamper-uniform
File name:e6305f7275215b0ed6c8e91c4dcc9079.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'102'848 bytes
First seen:2022-04-08 08:51:02 UTC
Last seen:2022-04-08 10:14:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 23aef259b74b761b8d544111b9225b45 (2 x RedLineStealer, 2 x Stop, 1 x DanaBot)
ssdeep 24576:TBTD6F5M3ApzwODTXaKyih4NhM07eJ8PHHLWRWCNzjeoY7:TiM3o7jpDQeJ8PHq0cz
Threatray 10'603 similar samples on MalwareBazaar
TLSH T1DE351211BB41E034E9B711F80D79A3A8B91E7DB19F2021CB62D662FD0635AD4EC3275B
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
576
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e6305f7275215b0ed6c8e91c4dcc9079.exe
Verdict:
Suspicious activity
Analysis date:
2022-04-08 23:07:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/68b8d826-b2bd-46e4-a7e6-98f7b653bf8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261978/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.35714.2940.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/624ff77cbbd90911a2964a13/reports/b316206d-d6be-4f18-adca-a1eec10a1fe7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af01e21c-abd7-450d-8b04-c63543e2770b
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/973462
Signature
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605946 Sample: 1kFy1ONrHw.exe Startdate: 08/04/2022 Architecture: WINDOWS Score: 96 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected DanaBot stealer dll 2->64 66 Machine Learning detection for sample 2->66 68 2 other signatures 2->68 8 1kFy1ONrHw.exe 3 2->8         started        process3 signatures4 70 Overwrites code with function prologues 8->70 11 rundll32.exe 8->11         started        15 rundll32.exe 13 8->15         started        18 WerFault.exe 16 8->18         started        20 8 other processes 8->20 process5 dnsIp6 54 136.189.219.111, 443, 49786 WAUSAU-INSUS United States 11->54 56 152.125.197.69, 443, 49787 VA-TMP-COREUS United States 11->56 60 16 other IPs or domains 11->60 72 System process connects to network (likely due to code injection or exploit) 11->72 74 Tries to steal Instant Messenger accounts or passwords 11->74 76 Tries to harvest and steal browser information (history, passwords, etc) 11->76 22 schtasks.exe 11->22         started        24 schtasks.exe 11->24         started        26 schtasks.exe 11->26         started        28 3 other processes 11->28 58 213.227.155.102, 443, 49751, 49782 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 15->58 42 C:\Users\user\AppData\...\Ppuhopfpwo.tmp, DOS 15->42 dropped 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 15->80 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->46 dropped 48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->48 dropped 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->50 dropped 52 5 other malicious files 20->52 dropped file7 signatures8 process9 process10 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d803474f276d6a116f53136d486a257bf6414a5c4393aa83793bc77a4124afd2/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 00:33:09 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd
DanaBot
26d64a54a7d7c19a0c9c865c6ba67a4bbda227599f1e7d79e08a570637c4ea12
DanaBot
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
DanaBot
4e97c34bc866c9e70fca69b0375d14534d98bccfaae683924a08328c75ab5416
DanaBot
6e33bb5afea750c9d310218cf18796b7e1754332684bf92806ccba081bcc5a69
DanaBot
a0bc490c4a5263a90e83476958a538d960a94437432c4561008a6c9bb4af2b17
DanaBot
a664d80c5b8a2203288086ed56c42f443622e787beae17677b1504ab524a2795
DanaBot
c7a4fad10ef66516e492ab30d600be219ea259c4f0a42a3f664ae7b3cd94e2b7
DanaBot
dcedf234c0f9d6fe3a4392693c82708c70c8e243f42f2e7073d35bd928f3b526
DanaBot
fd03b9031f45ecee766ffd5f697a5234745eab0f0665620ec4f271536aca69a1
DanaBot
+ 10'593 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220408-kr54dsbac6/
Behaviour
Checks processor information in registry
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Blocklisted process makes network request
Unpacked files
SH256 hash:
8dc0097e4189981aae9a155e3a5cda770ed220fcca3b86381efd3c38c71127a3
MD5 hash:
124dafcff50fe5666d2539919e120f21
SHA1 hash:
a40dc591ecf9e630ca6e00f97ac87715b9ad317d
Link:
https://www.unpac.me/results/045ab2c4-64a1-4586-99ab-0023f79a8531/
SH256 hash:
d803474f276d6a116f53136d486a257bf6414a5c4393aa83793bc77a4124afd2
MD5 hash:
e6305f7275215b0ed6c8e91c4dcc9079
SHA1 hash:
0130ffae937976b40bb295ce04208980f52aabc2
Link:
https://www.unpac.me/results/045ab2c4-64a1-4586-99ab-0023f79a8531/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d803474f276d6a116f53136d486a257bf6414a5c4393aa83793bc77a4124afd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261978/

Comments