MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d75ee72b5ee8528fddab43bf8aa7d1e23bfba8678c7ad9f0fef924f3104cc54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	0d75ee72b5ee8528fddab43bf8aa7d1e23bfba8678c7ad9f0fef924f3104cc54
SHA3-384 hash:	6a01e2d9fd4cec86da684a5bbd2bb097774a397e27eb80f1c8be9c9d9c0fcb87a18ef3b8881a2b7931cb94781a072734
SHA1 hash:	17c7a4609f065ed4235298ec963d7683a9533d51
MD5 hash:	7737730d3a03d2510dca4bd7663a91ae
humanhash:	batman-network-crazy-mockingbird
File name:	SecuriteInfo.com.Variant.Babar.111863.21978.7247
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'331'200 bytes
First seen:	2022-10-21 16:06:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	83aec8d33ff1d2ed6e490bde788f9850 (12 x Smoke Loader, 10 x RedLineStealer, 5 x CoinMiner)
ssdeep	24576:HMIfgvXYV+9URhsb7Px4RHE5RCx9lZcWjZy7OEqzOKOM:HMIIvXY8ORhsHCteSKKOM
TLSH	T1C4552313B1D2DCB1C065C030906BDF9376BD6C7B03E2A9ABB7B05B792D402926FA7155
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	SecuriteInfoCom
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Babar.111863.21978.7247

Verdict:

No threats detected

Analysis date:

2022-10-21 16:08:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ffd12e94-04f0-4845-9ceb-9a2399068b32

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322349/

Detection(s):

SecuriteInfo.com.Variant.Babar.111863.21978.7247.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6352c3a8339362a6061b3743/reports/d9e647b0-05b9-46f0-9064-936f86e86ac7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3cba493c-e40f-4f08-bd32-5e61c7fdc918

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0d75ee72b5ee8528fddab43bf8aa7d1e23bfba8678c7ad9f0fef924f3104cc54/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2022-10-21 16:55:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 42 (73.81%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bv2644vv52csr7o2wq57rkt5dyr37ougpdd23hyp56je6miezrka._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/221021-tkmsxaebbm/

Behaviour

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Blocklisted process makes network request

Danabot

Malware Config

C2 Extraction:

23.106.124.171:443
149.3.170.160:443
213.227.155.103:443
103.187.26.147:443

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3bf3f8f1-c891-49c4-894a-5e155e2f937c

Unpacked files

SH256 hash:

480645bd42798167a865bd9fd1d6c9489e014ca874a99ccfeaf3cf0399e5de5c

MD5 hash:

819ecec2500e2774aa7796e2982380cd

SHA1 hash:

b2073738e3dedd57fd22e7c83404afc3afed5cd1

Link:

https://www.unpac.me/results/7925dddb-64e5-43da-99ec-99bf7c173c4c/

SH256 hash:

0d75ee72b5ee8528fddab43bf8aa7d1e23bfba8678c7ad9f0fef924f3104cc54

MD5 hash:

7737730d3a03d2510dca4bd7663a91ae

SHA1 hash:

17c7a4609f065ed4235298ec963d7683a9533d51

Link:

https://www.unpac.me/results/7925dddb-64e5-43da-99ec-99bf7c173c4c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0d75ee72b5ee8528fddab43bf8aa7d1e23bfba8678c7ad9f0fef924f3104cc54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	win_danabot_cdf38827 Create hunting rule
Author:	Johannes Bader
Description:	detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 0d75ee72b5ee8528fddab43bf8aa7d1e23bfba8678c7ad9f0fef924f3104cc54

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2381482/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/322349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample