MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75
SHA3-384 hash: 965a4399c519738b080115097d16a8c48e60101f10aa8f9fd141e4ee05d60a5b0d582ca3cbb6d81dd259433098990512
SHA1 hash: f761251b872215b0d34b76a53dd6b1452c6ca255
MD5 hash: 8bce39cd73af077e8a24360ad94cd368
humanhash: angel-oscar-friend-undress
File name:E7A7032DDAE1ADFD64C4C378C6E97BE7A2453228C7014.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:292'352 bytes
First seen:2022-02-22 22:41:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a8880d90dd309ce69e04adb371ea8632 (1 x RedLineStealer, 1 x RustyStealer, 1 x DanaBot)
ssdeep 3072:/VBXMaM+5XFX3Qt6+YmlTA60BWzad1J9c//scbipRXMj0VggjcGkNIVqI:/VBxB9BAJFlTAhBZ9c/0LJ7ITsq
Threatray 4'100 similar samples on MalwareBazaar
TLSH T15154AFD131D2C4B3C59236358965FFE15A7BB831EA70B9473F78172E5E602D0AA2234E
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe


Avatar
abuse_ch
DanaBot C2:
5.9.224.217:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.9.224.217:443 https://threatfox.abuse.ch/ioc/390195/

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243500/
Detection(s):
Win.Trojan.Generic-9935605-0
Create hunting rule

Win.Malware.Generic-9936069-0
Create hunting rule

Win.Malware.Tofsee-9936858-0
Create hunting rule

Win.Malware.Generic-9936886-0
Create hunting rule

Win.Malware.Generic-9936948-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7056/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware qbot
Link:
https://www.filescan.io/uploads/621566be875593a3cc060b8c/reports/df01023c-2eff-43d7-90f7-2e34670c3b53/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c293920-027d-4941-bc1b-bfedd4bc9541
Result
Threat name:
IcedID Raccoon SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944382
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates a thread in another existing process (thread injection)
Delayed program exit found
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Suspicious Call by Ordinal
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected IcedID
Yara detected Raccoon Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576860 Sample: E7A7032DDAE1ADFD64C4C378C6E... Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Found malware configuration 2->91 93 11 other signatures 2->93 9 E7A7032DDAE1ADFD64C4C378C6E97BE7A2453228C7014.exe 2->9         started        12 tiurdej 2->12         started        14 msiexec.exe 2->14         started        process3 signatures4 133 Detected unpacking (changes PE section rights) 9->133 135 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 9->135 137 Maps a DLL or memory area into another process 9->137 139 2 other signatures 9->139 16 explorer.exe 6 9->16 injected process5 dnsIp6 69 recmaster.ru 175.126.109.15, 49725, 49775, 49776 SKB-ASSKBroadbandCoLtdKR Korea Republic of 16->69 71 oakland-studio.video 143.198.125.86, 443, 49796, 49799 LDCOMNETFR United States 16->71 73 11 other IPs or domains 16->73 51 C:\Users\user\AppData\Roaming\tiurdej, PE32 16->51 dropped 53 C:\Users\user\AppData\Local\Temp0CF.exe, PE32+ 16->53 dropped 55 C:\Users\user\AppData\Local\Temp\CB23.exe, PE32 16->55 dropped 57 5 other files (4 malicious) 16->57 dropped 95 System process connects to network (likely due to code injection or exploit) 16->95 97 Benign windows process drops PE files 16->97 99 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->99 101 4 other signatures 16->101 21 7DFA.exe 80 16->21         started        26 cmd.exe 1 16->26         started        28 35B5.exe 3 16->28         started        30 3 other processes 16->30 file7 signatures8 process9 dnsIp10 75 178.79.174.111, 49825, 80 LINODE-APLinodeLLCUS United Kingdom 21->75 77 206.189.100.203, 49824, 80 DIGITALOCEAN-ASNUS United States 21->77 59 C:\Users\user\AppData\...\vcruntime140.dll, PE32 21->59 dropped 61 C:\Users\user\AppData\...\ucrtbase.dll, PE32 21->61 dropped 63 C:\Users\user\AppData\...\softokn3.dll, PE32 21->63 dropped 65 56 other files (none is malicious) 21->65 dropped 113 Detected unpacking (changes PE section rights) 21->113 115 Detected unpacking (overwrites its own PE header) 21->115 117 Tries to steal Mail credentials (via file / registry access) 21->117 119 Tries to harvest and steal browser information (history, passwords, etc) 21->119 32 cmd.exe 21->32         started        34 WMIC.exe 1 26->34         started        37 WMIC.exe 26->37         started        39 WMIC.exe 26->39         started        45 4 other processes 26->45 121 Overwrites code with function prologues 28->121 123 Tries to detect virtualization through RDTSC time measurements 28->123 41 rundll32.exe 13 28->41         started        79 grendafolz.com 216.73.159.111, 49779, 80 WINDSTREAMUS United States 30->79 81 dr49lng3n1n2s.cloudfront.net 13.225.27.74, 443, 49777 AMAZON-02US United States 30->81 83 2 other IPs or domains 30->83 125 Contains functionality to detect hardware virtualization (CPUID execution measurement) 30->125 127 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 30->127 129 Maps a DLL or memory area into another process 30->129 131 2 other signatures 30->131 file11 signatures12 process13 dnsIp14 47 conhost.exe 32->47         started        49 timeout.exe 32->49         started        103 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 34->103 105 DLL side loading technique detected 34->105 85 5.9.224.217, 443, 49837, 49846 HETZNER-ASDE Germany 41->85 67 C:\Users\user\AppData\...\Aeesafyftaohi.tmp, DOS 41->67 dropped 107 System process connects to network (likely due to code injection or exploit) 41->107 109 Tries to detect virtualization through RDTSC time measurements 41->109 111 Delayed program exit found 41->111 file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-15 14:52:00 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
39 of 43 (90.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=46tqglo24gw72zgeyn4mn2l346rekmriy4auuiotsrp4hxoilv2q._file
Verdict:
malicious
Similar samples:
3fdf21f7ad2430c552a8dc34c6fbaf82d95a0f44b9a7bd514d89ad3d074d345f
DanaBot
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
DanaBot
538d3533398c3f0adbd59483ced973cf35803de5e9356e8dafb5f6bea4049a30
DanaBot
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
DanaBot
7163d47439cbab3397556ebda45e83fdea5dd01ce0fcfaae7ad18637a4433455
DanaBot
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
DanaBot
9b031ce5a98e281a6c59d198e443653c2c873b416f597e85433754dd962ac816
DanaBot
+ 4'090 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:icedid family:raccoon family:smokeloader botnet:9185b8c5d1dac158cc47aef92b143671d2c3a9bf campaign:1843818144 backdoor banker loader stealer suricata trojan
Link:
https://tria.ge/reports/220222-2mnrzsgaeq/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
IcedID First Stage Loader
IcedID, BokBot
Raccoon
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
grendafolz.com
Unpacked files
SH256 hash:
bc3cd8a2597f19417019a8786550cb633d27c0f43d7dfe5bb8a8829232173e15
MD5 hash:
8d9f046a561d199522885150c4312188
SHA1 hash:
3e532bb403175657483f37707d941ebd4ac35b3a
Link:
https://www.unpac.me/results/499ef784-a365-4c8a-9c08-fdab5e52b575/
SH256 hash:
e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75
MD5 hash:
8bce39cd73af077e8a24360ad94cd368
SHA1 hash:
f761251b872215b0d34b76a53dd6b1452c6ca255
Link:
https://www.unpac.me/results/499ef784-a365-4c8a-9c08-fdab5e52b575/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e7a7032ddae1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7a7032ddae1adfd64c4c378c6e97be7a2453228c7014a21d3945fc3ddc85d75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243500/

Comments