MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04c3d9d645c254a617b44a8c9c6a7cf17db11b0f95e5080a3f2955539291e9c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	04c3d9d645c254a617b44a8c9c6a7cf17db11b0f95e5080a3f2955539291e9c6
SHA3-384 hash:	ae44a448e870e170db397c5f5ac139b81ad8651004549d24bc49bf5b1fcf5bdc8959c3b8b57c786bb2932a3e2aca8df0
SHA1 hash:	2936f7060b2019eac441756054ef02ae2a6dfa82
MD5 hash:	5367a0c4a30e5eb34734bae03c3e2d1f
humanhash:	rugby-california-oxygen-eighteen
File name:	5367a0c4a30e5eb34734bae03c3e2d1f.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'762'816 bytes
First seen:	2021-11-22 13:35:16 UTC
Last seen:	2021-11-22 15:49:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	13efcea70e0fb08d4f5ba0d5ad2ab09a (5 x RedLineStealer, 2 x DanaBot, 1 x ArkeiStealer)
ssdeep	49152:mzWnPrIcO6eqYiwXOTXpiOz+++mcgr+J/y:2WnPrIsYitXcOzSHgma
Threatray	7'413 similar samples on MalwareBazaar
TLSH	T1EA853324F7A548F1E0727A31AA74D01229B334B6E250839F3B55629E1EE17E16EF7343
File icon (PE):
dhash icon	fcfcb4d4d4dcd8c0 (14 x RedLineStealer, 11 x RaccoonStealer, 3 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

436

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5367a0c4a30e5eb34734bae03c3e2d1f.exe

Verdict:

Malicious activity

Analysis date:

2021-11-22 13:40:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d420d500-668e-489f-acee-c23e7847ac7d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Jaik.49486.20168.16186.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

DNS request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619b9cc794a88037d2fe6b34/reports/0ea35a7b-aa6c-4923-93f2-ed6810d3c874/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00ca42fc-b05e-4746-a20f-57288c787014

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/893857

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/04c3d9d645c254a617b44a8c9c6a7cf17db11b0f95e5080a3f2955539291e9c6/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-22 13:36:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211122-qvtsesfehr/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Danabot

Malware Config

C2 Extraction:

142.11.244.223:443
23.106.122.139:443

Unpacked files

SH256 hash:

ee687fdd6c2678f18d2473d0aef2256e21ee829a78c7afde0ee0e1c20f4221bf

MD5 hash:

0533fac1345c9d5667d4b808e5a33459

SHA1 hash:

deb3e683572956fe3ae32c69123aa21e949d89ca

Link:

https://www.unpac.me/results/e9f8bd5c-521e-4f3a-948c-1c9024e862c2/

SH256 hash:

42c4ccd01a12fb543fdd166a806bc7c63d36192815561a49ca922ef79623e13f

MD5 hash:

13395f75321296f2efa0e16ccb8206b5

SHA1 hash:

d3b209f9f64557dbf98bd2c117f1082977fc34c8

Link:

https://www.unpac.me/results/e9f8bd5c-521e-4f3a-948c-1c9024e862c2/

SH256 hash:

04c3d9d645c254a617b44a8c9c6a7cf17db11b0f95e5080a3f2955539291e9c6

MD5 hash:

5367a0c4a30e5eb34734bae03c3e2d1f

SHA1 hash:

2936f7060b2019eac441756054ef02ae2a6dfa82

Link:

https://www.unpac.me/results/e9f8bd5c-521e-4f3a-948c-1c9024e862c2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/04c3d9d645c254a617b44a8c9c6a7cf17db11b0f95e5080a3f2955539291e9c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 04c3d9d645c254a617b44a8c9c6a7cf17db11b0f95e5080a3f2955539291e9c6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1772785/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/208184/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample