MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 020291620f3506a3b1e1d5f8d1dbee22c382255d52f73dd044ab1e23d772ee84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	020291620f3506a3b1e1d5f8d1dbee22c382255d52f73dd044ab1e23d772ee84
SHA3-384 hash:	322515eb0468bf1d8b0a4203f93be2f64bbbc7631c6ca9f972dd69c4804952c50faa69af805387011170d47a49ca9ccd
SHA1 hash:	6177901046489b5eb3c0b9e08ca5accf8955a2ff
MD5 hash:	3e48ce9f68c21352fc6c245133cec0b9
humanhash:	juliet-robin-kilo-butter
File name:	3e48ce9f68c21352fc6c245133cec0b9.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'095'168 bytes
First seen:	2021-08-18 14:46:17 UTC
Last seen:	2021-08-18 16:10:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9e6cdfd867cec1c30d2ae8894f290a78 (7 x RedLineStealer, 1 x DanaBot, 1 x FickerStealer)
ssdeep	24576:JJKPXQ0qkyMpE4JR97ouRmeqOF396h3zcY28DSIwGJmx4YN7T89ax:fKYNPMbJRlmeDZajP280aYh8
Threatray	4'078 similar samples on MalwareBazaar
TLSH	T15535235030C0DC31C2D227B0009AA6D4D7E7F6228A5D858F2F543AEF6EF56E165A33DA
dhash icon	1072c093b0381902 (22 x RedLineStealer, 7 x RaccoonStealer, 4 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3e48ce9f68c21352fc6c245133cec0b9.exe

Verdict:

Malicious activity

Analysis date:

2021-08-18 14:48:54 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/bc6494db-5931-423a-a352-0ecb7265e941

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/180374/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.7802.32454.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

DNS request

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e40d079f-bfd9-4f96-a126-6d371591a701

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/835151

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/020291620f3506a3b1e1d5f8d1dbee22c382255d52f73dd044ab1e23d772ee84/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-18 14:47:09 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aibjcyqpgudkhmpb2x4ndw7oelbyejk5kl3t3ucevmpchv3s52ca._file

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210818-vszpbxx926/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

ec327c23bd9bff9f5e3e7488d70c37c9fa5f00cdfeb9ba2578d60d6869a75e16

MD5 hash:

7b42ac343ba84d1e631ee8f09b9a76c6

SHA1 hash:

78b5d212392aa2193c1b6adc8370e31d94860410

Link:

https://www.unpac.me/results/98afe229-db89-4e16-bdee-83b996b4f58f/

SH256 hash:

2d65df230e7dddd74c5d701ccbc819105ce73f4e0d8ca5c35de2a3271cee3508

MD5 hash:

10be56024c7ee6fb437de8b328f4e275

SHA1 hash:

febab4288f3c23d0e883a4487ccf21e6ed098891

Link:

https://www.unpac.me/results/98afe229-db89-4e16-bdee-83b996b4f58f/

SH256 hash:

020291620f3506a3b1e1d5f8d1dbee22c382255d52f73dd044ab1e23d772ee84

MD5 hash:

3e48ce9f68c21352fc6c245133cec0b9

SHA1 hash:

6177901046489b5eb3c0b9e08ca5accf8955a2ff

Link:

https://www.unpac.me/results/98afe229-db89-4e16-bdee-83b996b4f58f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/020291620f3506a3b1e1d5f8d1dbee22c382255d52f73dd044ab1e23d772ee84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 020291620f3506a3b1e1d5f8d1dbee22c382255d52f73dd044ab1e23d772ee84

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1495647/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1490082/

Cape

https://www.capesandbox.com/analysis/180374/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample