MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758
SHA3-384 hash: 6d7a668b897544bb4c06c984d262f4e867eb1dd0dd3030158ded4eff0163c98f39ff5f07686c4b848e128bf46f0b3097
SHA1 hash: 688bd3512930d53cb565468d86941884858c2b52
MD5 hash: 63c6959237b662401a9f78e799d34db1
humanhash: aspen-zebra-hot-fourteen
File name:63c6959237b662401a9f78e799d34db1
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'356'626 bytes
First seen:2021-10-21 22:38:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 196608:4k2h2ABtGyZS/8LJ6pJhzcXyc1oCkx07g4UgrP:4xsWlS/8L8pJh0oCkmmYP
Threatray 6'761 similar samples on MalwareBazaar
TLSH T13256331A37E1463BF03287B0AE665A5BB5FF5E1845346E9C5700BC6D2922249AD03F3F
File icon (PE):PE icon
dhash icon f0e8dcd0f4d8bcb4 (2 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://tynjua14.top/downfiles/lv.exe
Verdict:
Malicious activity
Analysis date:
2021-10-21 17:52:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a63d61f5-4632-4b93-9c05-1d400f08bf05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199201/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6171ec099a5a1e91c5cccdf2/reports/2de6f334-e65b-4c6d-a65e-fc16b9dadd6b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a60e5ae0-1122-460b-8cb1-5c5075252300
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874904
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507332 Sample: 2wY8F2BCNp Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for submitted file 2->56 58 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->58 60 PE file contains section with special chars 2->60 62 2 other signatures 2->62 7 2wY8F2BCNp.exe 25 2->7         started        10 IntelRapid.exe 2->10         started        13 IntelRapid.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Local\...\yoicksvp.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\undirk.exe, PE32+ 7->34 dropped 36 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->36 dropped 38 3 other files (none is malicious) 7->38 dropped 15 yoicksvp.exe 3 18 7->15         started        20 undirk.exe 4 7->20         started        74 Query firmware table information (likely to detect VMs) 10->74 76 Hides threads from debuggers 10->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->78 signatures5 process6 dnsIp7 42 ip-api.com 208.95.112.1, 49764, 80 TUT-ASUS United States 15->42 28 C:\Users\user\AppData\Local\...\rpcmalqfc.vbs, ASCII 15->28 dropped 44 Antivirus detection for dropped file 15->44 46 Query firmware table information (likely to detect VMs) 15->46 48 May check the online IP address of the machine 15->48 54 2 other signatures 15->54 22 wscript.exe 12 15->22         started        30 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 20->30 dropped 50 Hides threads from debuggers 20->50 52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->52 26 IntelRapid.exe 20->26         started        file8 signatures9 process10 dnsIp11 40 iplogger.org 88.99.66.31, 443, 49765 HETZNER-ASDE Germany 22->40 64 System process connects to network (likely due to code injection or exploit) 22->64 66 May check the online IP address of the machine 22->66 68 Query firmware table information (likely to detect VMs) 26->68 70 Hides threads from debuggers 26->70 72 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->72 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758/
Threat name:
Win32.Dropper.Scrop
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 22:39:06 UTC
AV detection:
17 of 44 (38.64%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
17466b5e290e6614085fbe5ce7077bbbf470334b49ac749129c4622bfd34cbed
DanaBot
1d853f68927005c2158b9e5730d78b0c13e7306339a2807cc24fdbf82e37b647
DanaBot
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
DanaBot
80bed6ab0b5b8714354e174beb3be2c10a749dd8133c2e74f3ebdb4936e6f411
DanaBot
82986179159fb1244b89a23ab01b915fe1c24407712c156a087fe902572a4a8f
DanaBot
88b21d6bda07db2097615a88062328006f0c10d199d4fc5e50483d6fd6abe622
DanaBot
ab2c8662c8101b040f3b5e41eb3639b1be3ce9da6ac155f7a4b0fbe63bb3fde3
DanaBot
c98b385fbe81a0170835d5ece1bb8a32fb93a7b98961fcd093416f6b3e8a1385
DanaBot
d80ff2378e1da1fcdf9f21f57c5498b4f55ded34c425b6bf91f489319336a8e6
DanaBot
e22b05e4c2a27e069302fd4be52f92bcd883f075cb1b91f958f4d5e3b2a8a6e6
DanaBot
+ 6'751 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211021-2kyjeaahc5/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
Unpacked files
SH256 hash:
5af6b5dffdfcf6b4a02ba385c3da046367aa7797496327be535c6ed6be984600
MD5 hash:
602dddcfcbbcb08ff0eefc4fbb07422a
SHA1 hash:
29b1e149a7adf9509f98369b1a34f2a29bfb5616
Link:
https://www.unpac.me/results/b63d2996-5e90-4687-9320-4b715ff9c766/
SH256 hash:
e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758
MD5 hash:
63c6959237b662401a9f78e799d34db1
SHA1 hash:
688bd3512930d53cb565468d86941884858c2b52
Link:
https://www.unpac.me/results/b63d2996-5e90-4687-9320-4b715ff9c766/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MALWARE_Win_DLAgent14
Create hunting rule
Author:ditekSHen
Description:Detects downloader injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe e3d5b6d0c39c747762c25d021c7a8aedaa7a30beb9af9187d15aea7178ea9758

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1705536/
Cape
Cape
https://www.capesandbox.com/analysis/199201/

Comments


Avatar
zbet commented on 2021-10-21 22:38:18 UTC

url : hxxp://tynjua14.top/download.php?file=lv.exe