MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700
SHA3-384 hash: 1447e64af4a869b849753fb2769bf2b8e6629cbe452e52e500551be2dae50be72b4646a1295b5b494c4370a0490e950d
SHA1 hash: 47d0712a5f066bd4b7a3ef36f5985f764d703bee
MD5 hash: 1d27d894f404b2f4b040aa4cfe991e91
humanhash: enemy-don-minnesota-fourteen
File name:1d27d894f404b2f4b040aa4cfe991e91
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'129'984 bytes
First seen:2022-03-27 23:58:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1690f0efc188c620ac36940e114b98ae (4 x DanaBot, 3 x Stop, 1 x SystemBC)
ssdeep 24576:2ecME1UkUQSJTMP+kYMZ5Xu6uWYiua+c5Iv28x71MEaLmm4Y:2ecMEukUKYMvbu6u2hLx
Threatray 11'322 similar samples on MalwareBazaar
TLSH T12F35231374268833F53A6774688ADBE42F57BC664AA25D833BC11A798F201D3DE7134E
File icon (PE):PE icon
dhash icon 5c59da3c60c1c850 (2 x DanaBot, 2 x ArkeiStealer, 2 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
587
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1d27d894f404b2f4b040aa4cfe991e91.exe.vir
Verdict:
Suspicious activity
Analysis date:
2022-03-28 01:21:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/efb83cf4-2c63-4904-bb13-14d3db884c71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/258269/
Detection(s):
Win.Packed.Strab-9942213-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11627/overview
Behaviour
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6240fa4a1f204239483d90c1/reports/e4fd6c9c-500f-4798-9791-4c1775e9dd44/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eeb300da-6ffc-4a6f-9afd-ba05183c2ade
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.phis.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/965424
Signature
Allocates memory in foreign processes
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597905 Sample: f80XHBuRPP.exe Startdate: 28/03/2022 Architecture: WINDOWS Score: 96 64 Multi AV Scanner detection for submitted file 2->64 66 Machine Learning detection for sample 2->66 68 May use the Tor software to hide its network traffic 2->68 70 Sigma detected: Suspicious Call by Ordinal 2->70 8 f80XHBuRPP.exe 3 2->8         started        process3 signatures4 72 Overwrites code with function prologues 8->72 74 Writes to foreign memory regions 8->74 76 Allocates memory in foreign processes 8->76 11 rundll32.exe 8->11         started        15 backgroundTaskHost.exe 8->15         started        17 rundll32.exe 13 8->17         started        20 9 other processes 8->20 process5 dnsIp6 54 150.119.39.51, 443, 49804 USDA-1US United States 11->54 56 185.62.58.85, 443, 49772, 49778 SNELNL Netherlands 11->56 62 10 other IPs or domains 11->62 78 System process connects to network (likely due to code injection or exploit) 11->78 80 Tries to steal Instant Messenger accounts or passwords 11->80 82 Tries to harvest and steal browser information (history, passwords, etc) 11->82 84 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 15->86 22 schtasks.exe 15->22         started        24 schtasks.exe 15->24         started        26 schtasks.exe 15->26         started        28 4 other processes 15->28 58 23.254.133.7, 443, 49749, 49770 HOSTWINDSUS United States 17->58 44 C:\Users\user\AppData\...\Deaffwhwqqtuyww.tmp, DOS 17->44 dropped 60 192.168.11.1 unknown unknown 20->60 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->46 dropped 48 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->48 dropped 50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->50 dropped 52 6 other malicious files 20->52 dropped file7 signatures8 process9 process10 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-27 23:59:12 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chlqtcggxnyxjxkakdnqbdbhreqpctf7uvesazk22g63v3qie4aa._file
Verdict:
malicious
Similar samples:
00de2ed7834a34d0643df2cbd50188efe3fe66fba74cfd32ff98a7eb70717a46
DanaBot
0f8d2648166184bde6562f33b7e4b620313fe7a21746720d37594213fba7a604
DanaBot
35ae08dd66b6b142499ba173d3ff41f803e9c988a7ad8a25f62e31ed093144d9
DanaBot
5abcd78602091e9cddfec8f1e4bdd336ae58273466eb0981c2f980c4d91b6cb2
DanaBot
a71159cffa18ebb762f121760decde078c80061237c1f7bd3928787c258fba4f
DanaBot
c04089468922696353c3c7a044bc53491562ae6a894f77e303f2d50d41363bb4
DanaBot
cf57cc27a823806f6012096ebd1eca04ca4d6a837b664c829a9d037d821d7f86
DanaBot
dcedf234c0f9d6fe3a4392693c82708c70c8e243f42f2e7073d35bd928f3b526
DanaBot
e68709e57a75e81ed749f70bea9be2815cb7c41fda90a14567927fab472efc03
DanaBot
+ 11'312 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220327-31qdeaeeh5/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
cae78d9572153657dd301c59ca6526fd6f89803d6c04f4db49372f38fa85df3c
MD5 hash:
f7c3d2dde357c8c76620173b379f4a08
SHA1 hash:
e29f13741490a7df53e288521e4cec41030cb786
Link:
https://www.unpac.me/results/61651e48-7fd8-4ea0-bc4d-9c40bc0e47d1/
SH256 hash:
11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700
MD5 hash:
1d27d894f404b2f4b040aa4cfe991e91
SHA1 hash:
47d0712a5f066bd4b7a3ef36f5985f764d703bee
Link:
https://www.unpac.me/results/61651e48-7fd8-4ea0-bc4d-9c40bc0e47d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2116235/
Cape
Cape
https://www.capesandbox.com/analysis/258269/

Comments


Avatar
zbet commented on 2022-03-27 23:58:25 UTC

url : hxxp://45.147.229.175/root.exe