MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
SHA3-384 hash: 01f09b2c55c58b596ed4e889b9cdd4a07e637cc0834cf62f9b5705a479f10f30f8ad3de9fbaa6baaf91cf142dd9f7cb4
SHA1 hash: bd1354f4b1679b4b5aa79bb3af38d3e041ebd24c
MD5 hash: 6851ee86ef723624b9d8bb881188b745
humanhash: butter-sierra-carbon-zebra
File name:6851ee86ef723624b9d8bb881188b745
Download: download sample
Signature DanaBot
Create hunting rule
File size:5'683'473 bytes
First seen:2021-12-20 04:55:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:DZCoivbskwyMr9BcyPpodd/uV9y5tqVhuJr4S79jfU6caPl68HEpCFCk4GBDUbu:DUoiv2zrbcOgd/uby/qeJr4IM6ca96sr
TLSH T1374633B777288DF8DAC3B5F0573C1C6049E8442C28F8529717EC7E9EE922606ADD129D
File icon (PE):PE icon
dhash icon b464c4ccccccccd4 (1 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
463
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215303/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for analyzing tools
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2654/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker overlay packed racealer virus
Link:
https://www.filescan.io/uploads/61c00ce58991ba72b38deaf3/reports/540537e4-7774-472b-8a34-891b42bb21f3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0f993aa-a815-4682-9f2f-f92990a0138f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909996
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 542469 Sample: 0Ko4cj7mp5 Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 7 0Ko4cj7mp5.exe 25 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\godwitvp.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\edenic.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->27 dropped 29 3 other files (none is malicious) 7->29 dropped 10 edenic.exe 7 7->10         started        14 godwitvp.exe 3 18 7->14         started        process5 dnsIp6 31 C:\Users\user\AppData\...\DpEditor.exe, PE32 10->31 dropped 55 Antivirus detection for dropped file 10->55 57 Multi AV Scanner detection for dropped file 10->57 59 Query firmware table information (likely to detect VMs) 10->59 61 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->61 17 DpEditor.exe 10->17         started        35 ip-api.com 208.95.112.1, 49746, 80 TUT-ASUS United States 14->35 63 May check the online IP address of the machine 14->63 65 Machine Learning detection for dropped file 14->65 67 Hides threads from debuggers 14->67 20 wscript.exe 12 14->20         started        file7 signatures8 process9 dnsIp10 37 Query firmware table information (likely to detect VMs) 17->37 39 Hides threads from debuggers 17->39 41 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->41 33 iplogger.org 148.251.234.83, 443, 49747 HETZNER-ASDE Germany 20->33 43 System process connects to network (likely due to code injection or exploit) 20->43 45 May check the online IP address of the machine 20->45 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 01:03:20 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker evasion themida trojan
Link:
https://tria.ge/reports/211220-fkpqlsaden/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
78b49b5239f99aa0c4727e351149dac492a46c84cd4e7c6f40c3f16633e23fc2
MD5 hash:
34248b517ec64de8bd2557e6ddb983ab
SHA1 hash:
0d06f18d6535be06d78ef6fd9e473a013c72573c
Link:
https://www.unpac.me/results/32fa0b9d-c910-4a96-874b-b912eb02102f/
SH256 hash:
614017d0aae029a662aaaf2a1308ac5cd9ee5145a52b32443197a467eb6d86b6
MD5 hash:
7c5b14265eea43bc0d63f3d00b4ea382
SHA1 hash:
fd5b1879b794f47ec22b18ae18a557a98d852081
Link:
https://www.unpac.me/results/32fa0b9d-c910-4a96-874b-b912eb02102f/
SH256 hash:
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
MD5 hash:
6851ee86ef723624b9d8bb881188b745
SHA1 hash:
bd1354f4b1679b4b5aa79bb3af38d3e041ebd24c
Link:
https://www.unpac.me/results/32fa0b9d-c910-4a96-874b-b912eb02102f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1900857/
Cape
Cape
https://www.capesandbox.com/analysis/215303/

Comments


Avatar
zbet commented on 2021-12-20 04:55:39 UTC

url : hxxp://ekuniv18.top/downfiles/impish.exe