MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09a6f1762ad56add49d58eb4d3b4dc7efeb72599c641d3ef2c6dbe3488196166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09a6f1762ad56add49d58eb4d3b4dc7efeb72599c641d3ef2c6dbe3488196166
SHA3-384 hash: 2a6a2cfe496f5e1767211dfd1abba7cb14e1b6b9c54d8606c6a6055a09e6c0cb1997b5ae0e34637a527c62f7d7360f54
SHA1 hash: 82e8a4e8806a57e2c9f0ecdb9f52b801d18e4fcf
MD5 hash: 47c51374ad72d0c0faf7da8ab1cbf46a
humanhash: hydrogen-india-foxtrot-high
File name:47c51374ad72d0c0faf7da8ab1cbf46a
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'240'064 bytes
First seen:2021-09-11 11:29:16 UTC
Last seen:2021-09-11 13:15:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7dedca7bc07f096eb3cce2bfad6fc32b (5 x RedLineStealer, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep 24576:3ArhsXMIt7EAY7u7eFmE2wtOB4PdQmxkW26MigM8b:iqWxS74tG4p4c8
Threatray 264 similar samples on MalwareBazaar
TLSH T169451230B6B0C036E9B707F9597A87E8652E7EB1AB3041CB92D525CB56346E8CD30787
dhash icon e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
576
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
47c51374ad72d0c0faf7da8ab1cbf46a
Verdict:
Malicious activity
Analysis date:
2021-09-11 11:32:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7170c1e-e2cf-4b5a-9570-87700717b9f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187056/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.15793.25398.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17ae271f-4b45-4c52-863c-c1027141a276
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/849143
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09a6f1762ad56add49d58eb4d3b4dc7efeb72599c641d3ef2c6dbe3488196166/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-11 11:30:09 UTC
AV detection:
15 of 43 (34.88%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
078f9ef51158a0583dc392a8b2d9db4830c3ed9bd7c3e46a96c82046d8b53ba0
DanaBot
247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec
DanaBot
55f0976368822adb482407f46a40dcb9e0f2cc7e874d8b67c2bc82d82f7131e0
DanaBot
5c3162c36576b287b91705301199e60485f31ab98b4bd11e8ed4445b8131cf08
DanaBot
987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016
DanaBot
9a4537ed41f8307c11b5c85e70ed82573e3fa7f424178eb7f15c5b4d4d72cde5
DanaBot
ae6ec966a4d2912897da41c2e20296c0cc2ac5b30fd57ee20420bd7212e98042
DanaBot
b97c821707e93e8e535dc3661098e792d55d493a5edbd3f59bfd559c34d7822d
DanaBot
d3657dd474e857255ae3ea6f0faabb6f9a6f7bf77423042e5eb827a9cb72d17a
DanaBot
df03220ee207a1be64e9f25b74a78684ecd00fd75dd3e44e38e2b1678060e8be
DanaBot
+ 254 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery trojan
Link:
https://tria.ge/reports/210911-nl53zsedfq/
Behaviour
Checks processor information in registry
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.229.29.48:443
5.9.224.204:443
192.210.222.81:443
Unpacked files
SH256 hash:
939791545f4b62789fa3aecf2cfd1f0959f3c3677d5606515f86c0be5a60e2ac
MD5 hash:
3db33d3569d5415f6d1fb68c5224b614
SHA1 hash:
123de5d96113040282a7753741f671458c2a9819
Link:
https://www.unpac.me/results/6e312fd5-c46d-4fe6-801d-904b266e1be2/
SH256 hash:
2f72ec19b842abfee8dad8ab8a3b58370441a24e800f9f392fe41e162443cc5c
MD5 hash:
bda5eaee87fc9ddd257e45a01c87efa2
SHA1 hash:
aff3fc427cbeb601e40e9177e3dac5b836d9de19
Link:
https://www.unpac.me/results/6e312fd5-c46d-4fe6-801d-904b266e1be2/
SH256 hash:
09a6f1762ad56add49d58eb4d3b4dc7efeb72599c641d3ef2c6dbe3488196166
MD5 hash:
47c51374ad72d0c0faf7da8ab1cbf46a
SHA1 hash:
82e8a4e8806a57e2c9f0ecdb9f52b801d18e4fcf
Link:
https://www.unpac.me/results/6e312fd5-c46d-4fe6-801d-904b266e1be2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/09a6f1762ad5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09a6f1762ad56add49d58eb4d3b4dc7efeb72599c641d3ef2c6dbe3488196166

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 09a6f1762ad56add49d58eb4d3b4dc7efeb72599c641d3ef2c6dbe3488196166

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187056/

Comments


Avatar
zbet commented on 2021-09-11 11:29:16 UTC

url : hxxp://192.236.179.102/dellsvhosts.exe