MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 165f281fe26eb8a14657d69da2b56254c7c517800e57f3d26d83d6db8f33ae62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 165f281fe26eb8a14657d69da2b56254c7c517800e57f3d26d83d6db8f33ae62
SHA3-384 hash: af078fd212abe8f1b8d0d5de6136caeed3f24cd2d29b908896fea012397feb9af61f11b2086fb6f6e7cad2d955089612
SHA1 hash: c503d599b9bcc7d0adde4d0ab635e1e475d33a13
MD5 hash: 478dcafd00ed193c9a89a248ec1665e4
humanhash: venus-lithium-victor-moon
File name:478dcafd00ed193c9a89a248ec1665e4.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'210'880 bytes
First seen:2021-10-16 14:29:38 UTC
Last seen:2021-10-16 15:59:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d9ee1d37ce0771b137ef02c8f52b4c6 (2 x RedLineStealer, 1 x CryptBot, 1 x DanaBot)
ssdeep 12288:+dFuyXcGXlcERDJW68+HfxNs/OLnk/v3dRuCKInq7leXR+glRAxHUIw4CXVGdBW9:+dAg7XmERl8M24kntLqhUHHAx/pd
Threatray 6'573 similar samples on MalwareBazaar
TLSH T1A5451210B6A0C035F5B313F98AB99329AD3E7D619B28A4CF22C515EE57656E1EC7030B
File icon (PE):PE icon
dhash icon eae8e8e8aa66a489 (1 x DanaBot, 1 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
614
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
478dcafd00ed193c9a89a248ec1665e4.exe
Verdict:
Malicious activity
Analysis date:
2021-10-16 14:32:01 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/7369469b-e95d-4d81-90ee-920ea950bc96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197888/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47193372.27782.21703.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616ae1f9db358dd15ebd394b/reports/9bb77aa4-7be2-42f8-b89e-52c39d2bd610/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e747537f-f222-44f9-b69d-fe15377c6155
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/871610
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/165f281fe26eb8a14657d69da2b56254c7c517800e57f3d26d83d6db8f33ae62/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-10-15 23:23:40 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=czpsqh7cn24kcrsx22o2fnlcktd4kf4abzl7hutnqplnxdztvzra._file
Verdict:
malicious
Similar samples:
36499f5c573a8752c3b566b19e52f3a235e73e4cdb7123f3452a007c945f7daf
DanaBot
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
DanaBot
5d7bc178cb3eafae7b2c99b2cfd2ceec87119cf2403f86af87435d4479f36724
DanaBot
a195d9091ef3b62929cd8637728a190bd54a80c1d4fa89680e9b452677dcb934
DanaBot
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
DanaBot
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
DanaBot
efd668c69a879c85b8fb4ffdae21c471ce300548ab17321b851d0089c7dfdf73
DanaBot
f8f1569945e8adb87cb91509db4129d64a878863a347dbea1b21b70e1a21f973
DanaBot
+ 6'563 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211016-rt9ypacag3/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Loads dropped DLL
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
Unpacked files
SH256 hash:
83c902c459f943e26eeac70019428211544b81b1ef40ce5310113c98ab20fe7f
MD5 hash:
bcd5edcbd532e09f55deb90b57bc7e4b
SHA1 hash:
eb92145b34d9a5134ea1cd938b2d611a7f5e6daa
Link:
https://www.unpac.me/results/f9d491af-0bad-4906-bf48-cb0bb559846b/
SH256 hash:
65b376ac148b3d5842b3b33d8c076d99075b8602cf41bafa999c18312dc7e090
MD5 hash:
51f3579c30f726a362c7cbf51f2e0e00
SHA1 hash:
d69fce2ba8c5d4589fa19c08e256d121884a9513
Link:
https://www.unpac.me/results/f9d491af-0bad-4906-bf48-cb0bb559846b/
SH256 hash:
165f281fe26eb8a14657d69da2b56254c7c517800e57f3d26d83d6db8f33ae62
MD5 hash:
478dcafd00ed193c9a89a248ec1665e4
SHA1 hash:
c503d599b9bcc7d0adde4d0ab635e1e475d33a13
Link:
https://www.unpac.me/results/f9d491af-0bad-4906-bf48-cb0bb559846b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/165f281fe26eb8a14657d69da2b56254c7c517800e57f3d26d83d6db8f33ae62

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 165f281fe26eb8a14657d69da2b56254c7c517800e57f3d26d83d6db8f33ae62

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/197888/
  
URLhaus
https://urlhaus.abuse.ch/url/1660814/
  
Delivery method
Distributed via web download

Comments