MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c
SHA3-384 hash: 77ce9af45b9fdf16a9fed5c87d645bf6a1e4d814ceee325fa9036908107a0d20c1abd44e1a02683ebde6f48d3e03cf55
SHA1 hash: 0fddb2128fad566f9d098ff190542e8dcf242f89
MD5 hash: dfb70f4e40f91f1928068bad6e00f657
humanhash: purple-washington-july-mirror
File name:dfb70f4e40f91f1928068bad6e00f657.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'138'688 bytes
First seen:2021-10-26 14:34:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f5ea2bfadfc0cb42c0db57501b4ae1c (5 x RaccoonStealer, 3 x Smoke Loader, 1 x DanaBot)
ssdeep 24576:hTH9Pby5Mc+/N/C6bx9qJvhCr9kflhhJ+fhff9Z7BJZS+29nN:hTdPbdxC6bxIJvhCpkwB9Z1Jg9n
Threatray 6'910 similar samples on MalwareBazaar
TLSH T113352355B681C025E4A686304B42D6A2232FACE7DD7D8AB5378F3B5D2F7038079B5372
File icon (PE):PE icon
dhash icon fcfcb4f4d4dcd8c0 (7 x RedLineStealer, 4 x RaccoonStealer, 3 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
457
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200271/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.28067.27854.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61781218a9d585e6d5394700/reports/37792b8a-0003-49c5-ac66-14d492351f06/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ba79ac6-aaf6-451f-a632-cd05a5f65a41
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/877104
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 12:37:57 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0345531c814ad62c6c2c73de6fc6e540974fa5ddba3dcbeaa9a7850ad7929a76
DanaBot
18ae9ea1c1d71b33777c8772248580f17a2bcecf1aa0e8f71ec15d4b33d5253b
DanaBot
4e19a6c2fb2fd245e5c2097ff4d91aa86c4f49aaa4fbdab4cae046e3e02d0e52
DanaBot
8d2fc9db7c9f5dcf80faef24bf99af1a4553007d810981fef4026f3fce02a945
DanaBot
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
DanaBot
ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae
DanaBot
c0c908fdb5c67cd4ab56ab911320adaf68e4bc9a230a4a04eaf2cf6ae92443f4
DanaBot
f8f1569945e8adb87cb91509db4129d64a878863a347dbea1b21b70e1a21f973
DanaBot
+ 6'900 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/211026-rx2rgshfh5/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
Unpacked files
SH256 hash:
a9fe905bfcd05abe9799d6279f5acadc1d65b1b71e4d37dd4797ba53d1fee257
MD5 hash:
985ae1ef00c7591d3c4be13498e60a0c
SHA1 hash:
0cd11ed2a0133b12d589eed47e86664d74372c14
Link:
https://www.unpac.me/results/c2cbcd4d-d94f-4889-8128-c90c2f3a0f00/
SH256 hash:
e877ae826dc67227c7e9faf5b632464a515e4129c82188623e17664ff744f095
MD5 hash:
f4fe59c91279c55813d9d457c18793e0
SHA1 hash:
d5c70e65d579eabf5ea75dbba24626587afecd11
Link:
https://www.unpac.me/results/c2cbcd4d-d94f-4889-8128-c90c2f3a0f00/
SH256 hash:
11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c
MD5 hash:
dfb70f4e40f91f1928068bad6e00f657
SHA1 hash:
0fddb2128fad566f9d098ff190542e8dcf242f89
Link:
https://www.unpac.me/results/c2cbcd4d-d94f-4889-8128-c90c2f3a0f00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/200271/
  
URLhaus
https://urlhaus.abuse.ch/url/1715155/
  
Delivery method
Distributed via web download

Comments