MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704
SHA3-384 hash: bc23254190ddac17d19802996d8ae833f747b654952f4e5fd553cd957a02f95507745149c3cd718e71e63de5261455ca
SHA1 hash: 0df2d790667dd74ce9964839f5b10b4c5a7c1442
MD5 hash: 182b2fd847f91f5a381ce332366b9c8f
humanhash: north-zulu-missouri-november
File name:182b2fd847f91f5a381ce332366b9c8f
Download: download sample
Signature DanaBot
Create hunting rule
File size:8'795'136 bytes
First seen:2022-10-25 11:25:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d469ca1d6e996368501cdcdaad61b8dc (12 x RedLineStealer, 4 x Tofsee, 2 x CoinMiner)
ssdeep 196608:QEepItIc2w6yTIxpvSxllzAiB/UO7vA1vK70abaBeIvveVJsSh:7NTIxRSz374k4de0eVJsc
Threatray 1'395 similar samples on MalwareBazaar
TLSH T147963325737ECA73CC05D43A19D4733826B0D0B9647BDC772A752DFE36306621AA2C69
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f594914 (24 x Smoke Loader, 19 x RedLineStealer, 14 x Amadey)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
182b2fd847f91f5a381ce332366b9c8f
Verdict:
No threats detected
Analysis date:
2022-10-25 11:38:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/11fb8ce3-9fa6-419c-acda-8394e5d1588b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323984/
Detection(s):
Win.Packed.Pwsx-9975723-0
Create hunting rule

Win.Dropper.Tofsee-9975728-0
Create hunting rule

Win.Dropper.Tofsee-9975734-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9dee1fc-b3cd-4f1b-b8fc-fb3cdb97299a
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.expl
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1097494
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-10-25 12:29:08 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cgcfftdel3sexrx3uyoxbx7zf5zjpiul5yuettiqwez6nbpnq4ca._file
Verdict:
malicious
Similar samples:
00b043b01844a78e51e3cdf5bb2b789e0eab9ff63e2cffbff8f3cf38ab099989
DanaBot
154c0d2d08ece2e2deed8219a9ad988dab62e8cd43024cb7aa8f38197b0f67fd
DanaBot
173a25a0d60c05f2754c42ba56d3d0597fa46de21b483c12729916fd6939b306
DanaBot
4ab8ef03284ffe7a221c2655e2cdb0135791715a055e4d3fdd8c915325857176
DanaBot
929949f9ce4c548e05c423b8ff97ac24c5d1530283f4c49d631332897304c138
DanaBot
a7928ade0fd2c884b542a0a975b6c7c1710186d534f11a1b37003468e1fd35fe
DanaBot
e58955b8f25bd1f1fdbb0b3113b38cc23cf8faf3e33a47cd9b4bab0ab21957d6
DanaBot
ee6a04689ffa0db1cc406e072970e2940aa6708268d92af1d3cf6bbda1d945e6
DanaBot
+ 1'385 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/221025-njv51acecl/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Enumerates connected drives
Blocklisted process makes network request
Danabot
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2da8c2ba-e3f4-4ea9-9cff-990b64d3543a
Unpacked files
SH256 hash:
32674af57308c1a3dadaac727eaf786867466a751ab5a74e872eb180ff7270d2
MD5 hash:
605d3674993880fab612f5d7b98c99fb
SHA1 hash:
6630faea4344b91f9fd8443e5bc0322175aa5247
Link:
https://www.unpac.me/results/3977a786-8ee6-46f4-9816-d9c928b53f6b/
SH256 hash:
118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704
MD5 hash:
182b2fd847f91f5a381ce332366b9c8f
SHA1 hash:
0df2d790667dd74ce9964839f5b10b4c5a7c1442
Link:
https://www.unpac.me/results/3977a786-8ee6-46f4-9816-d9c928b53f6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_danabot_cdf38827
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 118452cc645ee44bc6fba61d70dff92f7297a28bee2849cd10b133e685ed8704

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/323984/
  
URLhaus
https://urlhaus.abuse.ch/url/2384100/

Comments


Avatar
zbet commented on 2022-10-25 11:25:09 UTC

url : hxxp://91.215.155.94/underground.exe