MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd03b9031f45ecee766ffd5f697a5234745eab0f0665620ec4f271536aca69a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd03b9031f45ecee766ffd5f697a5234745eab0f0665620ec4f271536aca69a1
SHA3-384 hash: fe493ba91fe0e4621d7ca09992bb5033a69b736ffde89fd8ab75e6973aea0158d4764a68c7bb7aa73b12219cb117969a
SHA1 hash: a515c1d1742b89f77d426dfd9c44d54bdb02afaa
MD5 hash: f4627284648d7e383ace8135bd8140d5
humanhash: burger-solar-maine-london
File name:fd03b9031f45ecee766ffd5f697a5234745eab0f06656.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'130'496 bytes
First seen:2022-04-04 05:11:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c9e068cec378fb57daaafa5b29927b3 (4 x Stop, 2 x Loki, 1 x RedLineStealer)
ssdeep 24576:nG9/OwIwtZ8+sCuezNU7Eey2GuYEaRwyhX/8R:nG99IwbHuYNcsEZwk
Threatray 11'427 similar samples on MalwareBazaar
TLSH T1CC3522B0F691C474C4A612306719CF702ABE74716A24079AB79C3F5A6F223C079F676B
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter abuse_ch
Tags:DanaBot exe


Avatar
abuse_ch
DanaBot C2:
104.168.167.51:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.168.167.51:443 https://threatfox.abuse.ch/ioc/488454/

Intelligence

File Origin
# of uploads :
1
# of downloads :
676
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260315/
Detection(s):
Win.Dropper.Stop-9938042-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12467/overview
Behaviour
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/624a7e25db9ca5cf8418b10c/reports/a4a06d7e-6645-4bad-b735-c7a5861a35ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6153b1d-dc40-485c-92d9-28fbaac98183
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/969691
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602178 Sample: fd03b9031f45ecee766ffd5f697... Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected DanaBot stealer dll 2->52 54 Machine Learning detection for sample 2->54 56 2 other signatures 2->56 8 fd03b9031f45ecee766ffd5f697a5234745eab0f06656.exe 3 2->8         started        process3 signatures4 58 Detected unpacking (changes PE section rights) 8->58 60 Detected unpacking (overwrites its own PE header) 8->60 62 Overwrites code with function prologues 8->62 11 rundll32.exe 8->11         started        15 rundll32.exe 13 8->15         started        process5 dnsIp6 42 5.224.44.103, 443, 49788 VODAFONE_ESES Spain 11->42 44 179.89.201.62, 443, 49866 TELEFONICABRASILSABR Brazil 11->44 48 21 other IPs or domains 11->48 64 System process connects to network (likely due to code injection or exploit) 11->64 66 Tries to steal Instant Messenger accounts or passwords 11->66 68 Tries to harvest and steal browser information (history, passwords, etc) 11->68 18 schtasks.exe 1 11->18         started        20 schtasks.exe 1 11->20         started        22 schtasks.exe 1 11->22         started        24 25 other processes 11->24 46 104.168.167.51, 443, 49749, 49766 HOSTWINDSUS United States 15->46 40 C:\Users\user\AppData\...\Ayyqperwppofe.tmp, DOS 15->40 dropped 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 15->72 file7 signatures8 process9 process10 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 20 other processes 24->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd03b9031f45ecee766ffd5f697a5234745eab0f0665620ec4f271536aca69a1/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 00:40:15 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ub3say7ixwo45tp7vpws6ssgr2f5kypazswedwe6jyvg2wkngqq._file
Verdict:
malicious
Similar samples:
00de2ed7834a34d0643df2cbd50188efe3fe66fba74cfd32ff98a7eb70717a46
DanaBot
2775e955bf03d93033ff2bf432ad95158e176d3207962d18dc47fd074d16ba9e
DanaBot
35ae08dd66b6b142499ba173d3ff41f803e9c988a7ad8a25f62e31ed093144d9
DanaBot
403da0c043c2998da98d36702af8795548dc51b836be342d9f2be808b07d6fb9
DanaBot
5abcd78602091e9cddfec8f1e4bdd336ae58273466eb0981c2f980c4d91b6cb2
DanaBot
6ee73d5e4fa4954957aad95443756f9be8fc1423cb7e83aad87048f7d2d970c0
DanaBot
8acfd843d915a1f12da9bbc0dc543d510be82e60257b99273883b6e55a990d9f
DanaBot
c04089468922696353c3c7a044bc53491562ae6a894f77e303f2d50d41363bb4
DanaBot
e68709e57a75e81ed749f70bea9be2815cb7c41fda90a14567927fab472efc03
DanaBot
+ 11'417 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220404-fvt33sbec7/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Blocklisted process makes network request
Unpacked files
SH256 hash:
6fb61d4454a7995e7e0b3c1c549191869e0c2be994e7c3fb504f03f1eae45fa5
MD5 hash:
85c9f8ac6a1baf077eb074ad3c6900ae
SHA1 hash:
3ac9a7ffef2ad012d07ca9bb15cd5586bb3320e6
Link:
https://www.unpac.me/results/788cdd35-d992-4550-b837-091b1660b053/
SH256 hash:
fd03b9031f45ecee766ffd5f697a5234745eab0f0665620ec4f271536aca69a1
MD5 hash:
f4627284648d7e383ace8135bd8140d5
SHA1 hash:
a515c1d1742b89f77d426dfd9c44d54bdb02afaa
Link:
https://www.unpac.me/results/788cdd35-d992-4550-b837-091b1660b053/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fd03b9031f45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd03b9031f45ecee766ffd5f697a5234745eab0f0665620ec4f271536aca69a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260315/

Comments