MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d
SHA3-384 hash:	086ee4bb40a2e516847294fa14521f6ae09fc0803d31e9fbcb5d0bd64d162b29156fc5e90401e2c8cade4c38c323bd5a
SHA1 hash:	e1c2958f6e36478ed1714d2680e3171e9517b40d
MD5 hash:	0261d6c09c1f707a5231b9368368827a
humanhash:	kansas-bravo-wisconsin-mike
File name:	0261d6c09c1f707a5231b9368368827a.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'098'240 bytes
First seen:	2021-08-05 15:18:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2a9c1ca66125aeff7a1c36242be63d54 (10 x RaccoonStealer, 1 x ServHelper, 1 x Loki)
ssdeep	24576:V0YILxtm+yLvubrtGyVbwqHx40+8nB9s0YTofO:VCyL2bsMbwEK296WO
Threatray	3'385 similar samples on MalwareBazaar
TLSH	T11D352326F981C47BE5520BB14EE8C396C7527CA6CC7A29873B94134D1F35582FE6A307
dhash icon	1272d292105c5c03 (31 x RaccoonStealer, 6 x Smoke Loader, 4 x Loki)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

507

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0261d6c09c1f707a5231b9368368827a.exe

Verdict:

Malicious activity

Analysis date:

2021-08-05 15:20:10 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/689836e0-d644-4785-a253-cc4aca40ec0f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/176709/

Detection(s):

Win.Malware.Generic-9883819-0

Win.Packed.Generic-9883938-0

Win.Malware.Generic-9883941-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f6547c6-f48c-440e-ba87-978288757c2c

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/827516

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-05 00:28:48 UTC

AV detection:

14 of 26 (53.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aa4g6wqlfqcuaxxy3xwz6fjifznb3epejujgj4jz5s42yeqeef6q._file

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210805-mlvgh69p4e/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

142.11.244.124:443
142.11.206.50:443

Unpacked files

SH256 hash:

2cb40a44c4b793d9ce9fb35eef324f97a0841dccf972f1dde0fa71e2332ac7e9

MD5 hash:

7f2bd352c8b7d4b2d92554e01e6dd1e1

SHA1 hash:

005051ce716858cfc632ccab0591acb3cfb9ec82

Link:

https://www.unpac.me/results/fe3b2732-81f9-4c31-99e2-5617875193aa/

SH256 hash:

3812ea5c4ddd4c6ab42a0a084fbfcbadf0afeda7cab570fbabb696f1e7cbc493

MD5 hash:

7be55887e7c595ac3716cc9023541b41

SHA1 hash:

1d33c07292c418004a43868243d0cf8ac6e5830c

Link:

https://www.unpac.me/results/fe3b2732-81f9-4c31-99e2-5617875193aa/

SH256 hash:

00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d

MD5 hash:

0261d6c09c1f707a5231b9368368827a

SHA1 hash:

e1c2958f6e36478ed1714d2680e3171e9517b40d

Link:

https://www.unpac.me/results/fe3b2732-81f9-4c31-99e2-5617875193aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 00386f5a0b2c05405ef8dded9f15282e5a1d91e44d1264f139ecb9ac1204217d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1461110/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1495647/

URLhaus

https://urlhaus.abuse.ch/url/1467030/

URLhaus

https://urlhaus.abuse.ch/url/1490082/

Cape

https://www.capesandbox.com/analysis/176709/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample