MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 157757f5065076824ea142b1e3910b51326149a0a457f986cc4270b5fec1d319. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	157757f5065076824ea142b1e3910b51326149a0a457f986cc4270b5fec1d319
SHA3-384 hash:	20c450bd5e3cd0702b438b606b4928f71db96da0d9db29ce94f12cacde76b5c57e8a549e0966772a053df9f98c5fa856
SHA1 hash:	fdf12fc5aa0e38dc5b539b1291f04fe1a30985f6
MD5 hash:	c6126a4aa5a4643eaadd0f4a6c2b06f9
humanhash:	illinois-don-early-sad
File name:	157757f5065076824ea142b1e3910b51326149a0a457f.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'105'408 bytes
First seen:	2022-03-26 20:06:12 UTC
Last seen:	2022-03-26 21:28:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	db9d63801b52e5f18d5dc80c5fed99ce (2 x SystemBC, 2 x Stop, 2 x Worm.Ramnit)
ssdeep	12288:43vqr/B17jAPeQp37W9nsLx3EXWcUoHM00znmPJcWZTziS5Zugfz3xaCXBKQp6:yvqrPjALp2sdyNUCM0yGPZuEZugbWQg
TLSH	T10735230170A1D472D096BD76E4A4FE34D3E9C87142A9E1DB2304627EBF207D2567E29E
File icon (PE):
dhash icon	5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

abuse_ch

DanaBot C2:
23.254.217.192:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
23.254.217.192:443	https://threatfox.abuse.ch/ioc/454603/

Intelligence

File Origin

# of uploads :

# of downloads :

614

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/258091/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.10479.29397.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Launching a process

Sending an HTTP GET request

Creating a file in the %temp% directory

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11547/overview

Behaviour

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/623f72699253b276b77c576c/reports/401430fc-8b65-44c0-a903-b64e1ab9fc5c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/168ae606-5155-4d04-9143-9ffe3eb09844

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/965144

Signature

Antivirus detection for URL or domain

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Multi AV Scanner detection for submitted file

Overwrites code with function prologues

Sigma detected: Suspicious Call by Ordinal

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/157757f5065076824ea142b1e3910b51326149a0a457f986cc4270b5fec1d319/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2022-03-26 19:13:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cv3vp5igkb3ietvbiky6heilkezgcsnaurl7tbwmijyll7wb2mmq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220326-yvzmnsghg8/

Behaviour

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Blocklisted process makes network request

Unpacked files

SH256 hash:

0a25fd61af7f9d812f263ea2159f59eeddb76e0cc12d3f348eadb9a7e0b072a0

MD5 hash:

419e4f0e2ef1a577a942d3da5f0a926e

SHA1 hash:

666e3b8d7bd79b0ddf2b3743cc9cb9dbf3330263

Link:

https://www.unpac.me/results/eb7610f4-f62d-476b-844f-c55d30592f70/

SH256 hash:

157757f5065076824ea142b1e3910b51326149a0a457f986cc4270b5fec1d319

MD5 hash:

c6126a4aa5a4643eaadd0f4a6c2b06f9

SHA1 hash:

fdf12fc5aa0e38dc5b539b1291f04fe1a30985f6

Link:

https://www.unpac.me/results/eb7610f4-f62d-476b-844f-c55d30592f70/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/157757f50650/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/157757f5065076824ea142b1e3910b51326149a0a457f986cc4270b5fec1d319

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/258091/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample