MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679
SHA3-384 hash: 3fc9454fbbd447f148f4089768a7b8dcaeb47094efd53e64e1475ec3a39db99ff635c529bd8a02ef4ca6ff8cc373006a
SHA1 hash: e3fbd40279e6e1f84bf8fa869500c01b38e50bd8
MD5 hash: a35732db1ce01e708084598f4dcdc1e4
humanhash: florida-monkey-four-oklahoma
File name:a35732db1ce01e708084598f4dcdc1e4
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'249'663 bytes
First seen:2021-11-11 20:16:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:SZvetj5CqOCBAybLPJh+bItPN3EhWIws2:SgKqOCB5HRhFuhU
Threatray 7'150 similar samples on MalwareBazaar
TLSH T19DE53309BF262A34D52605F80DF1AE1786B175149864872DD6BCBDA83EB4302AD3D73F
File icon (PE):PE icon
dhash icon 72f0dca4b6b6ccd8 (1 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205121/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
darkkomet overlay packed virus
Link:
https://www.filescan.io/uploads/618d7a40175442ca93acbeb3/reports/223d4504-6d3b-426e-acdf-005cad595778/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af57a4c2-c139-42c5-a1fc-9886999b2a94
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887763
Signature
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520236 Sample: 2U15pq8qFV Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for submitted file 2->57 59 Detected unpacking (creates a PE file in dynamic memory) 2->59 61 Machine Learning detection for sample 2->61 63 4 other signatures 2->63 7 2U15pq8qFV.exe 25 2->7         started        10 DpEditor.exe 2->10         started        12 DpEditor.exe 2->12         started        process3 file4 27 C:\Users\user\AppData\Local\...\forbarvp.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\clayer.exe, MS-DOS 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->31 dropped 33 3 other files (none is malicious) 7->33 dropped 14 forbarvp.exe 3 18 7->14         started        19 clayer.exe 7 7->19         started        process5 dnsIp6 41 ip-api.com 208.95.112.1, 49764, 80 TUT-ASUS United States 14->41 35 C:\Users\user\AppData\Local\...\bxadpqqi.vbs, ASCII 14->35 dropped 43 Antivirus detection for dropped file 14->43 45 Query firmware table information (likely to detect VMs) 14->45 47 May check the online IP address of the machine 14->47 55 3 other signatures 14->55 21 wscript.exe 12 14->21         started        37 C:\Users\user\AppData\...\DpEditor.exe, MS-DOS 19->37 dropped 49 Multi AV Scanner detection for dropped file 19->49 51 Detected unpacking (creates a PE file in dynamic memory) 19->51 53 Machine Learning detection for dropped file 19->53 25 DpEditor.exe 1 2 19->25         started        file7 signatures8 process9 dnsIp10 39 iplogger.org 88.99.66.31, 443, 49766 HETZNER-ASDE Germany 21->39 65 System process connects to network (likely due to code injection or exploit) 21->65 67 May check the online IP address of the machine 21->67 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679/
Threat name:
Win32.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 20:17:06 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0822897c3336073faf73fa391193ea15f55de51aa36d63433a9e794127c34576
DanaBot
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
DanaBot
4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38
DanaBot
5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
DanaBot
7c3b2df673868d8f99e2cea7d58bcf356bd59c1a49340e5a8a285e06a517fb1f
DanaBot
82986179159fb1244b89a23ab01b915fe1c24407712c156a087fe902572a4a8f
DanaBot
88b21d6bda07db2097615a88062328006f0c10d199d4fc5e50483d6fd6abe622
DanaBot
fb6e522546a83e50fb8759d02881ded745926b7746f06f64694a13aedadd2d6e
DanaBot
+ 7'140 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker evasion themida trojan
Link:
https://tria.ge/reports/211111-y2pfaahbgl/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.192.201:443
Unpacked files
SH256 hash:
83d96324bdf8182215da7e4da3915291338ec0fd524a234dfad182ddbfe0a4ef
MD5 hash:
f9883608f53e3c853230060cc77258ea
SHA1 hash:
e8ff2019f32f6a207b41376a5e74224e0d3eb764
Link:
https://www.unpac.me/results/e0269d82-c71f-4f0a-8893-c02de18bad87/
SH256 hash:
da0dfd6f09f1f2dafca88aaea238647756605972cbfa44b7c0a434c70136c7cd
MD5 hash:
37418dea27d047dfa7299cf7b972b355
SHA1 hash:
1f507cbeaecd59580e2f8a8b21406956b6e1daf1
Link:
https://www.unpac.me/results/e0269d82-c71f-4f0a-8893-c02de18bad87/
SH256 hash:
ac004577dc6e909181884193799a959340a834c0799ac69bf3ee820f6ee61f87
MD5 hash:
121261f58418618aee91b91be2d9d419
SHA1 hash:
03c18d9e260d7e379d25342c52c816aa29904ecf
Link:
https://www.unpac.me/results/e0269d82-c71f-4f0a-8893-c02de18bad87/
SH256 hash:
0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679
MD5 hash:
a35732db1ce01e708084598f4dcdc1e4
SHA1 hash:
e3fbd40279e6e1f84bf8fa869500c01b38e50bd8
Link:
https://www.unpac.me/results/e0269d82-c71f-4f0a-8893-c02de18bad87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1777364/
Cape
Cape
https://www.capesandbox.com/analysis/205121/

Comments


Avatar
zbet commented on 2021-11-11 20:16:28 UTC

url : hxxp://xetpuy16.top/downfiles/basque.exe