MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd
SHA3-384 hash: 53e3d3f15822260d1e7496f6e372976921e226ab6f8df7d1847f596ee20142fb6690f00cd08f459ebc068f5d953102ef
SHA1 hash: 780941f40823b186923d52b050d680c2932bff08
MD5 hash: 9262676e408a401848a80d2c8f15895d
humanhash: don-zulu-angel-vermont
File name:9262676e408a401848a80d2c8f15895d.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'124'352 bytes
First seen:2022-03-06 20:35:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ecf40f4beb06b67c316495692fd0889e (2 x DanaBot, 1 x Smoke Loader)
ssdeep 24576:GkMViqxP8E4wjr/lbeNfglWWeHnfUcNGS54YVO6kFOtM:GNUE4wVbeNUwnfP4P
TLSH T1BA351211BA60C035E4BB56F8483A93A9B52E3EE16B6454CB13C53AED5774AE4ED3030F
File icon (PE):PE icon
dhash icon 2dac1370399b9b91 (45 x RedLineStealer, 35 x Smoke Loader, 19 x Amadey)
Reporter abuse_ch
Tags:DanaBot exe


Avatar
abuse_ch
DanaBot C2:
23.254.201.147:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.254.201.147:443 https://threatfox.abuse.ch/ioc/392763/

Intelligence

File Origin
# of uploads :
1
# of downloads :
645
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247705/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8400/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da9f5176-62fb-4b6c-ac08-8b6df772080a
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/951479
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 20:36:13 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbl4plxqlypkfvmquqwfl7ta7eilnj2hhn7uiq6qhu7um5mreg6q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220306-zdkmvsegg3/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
dc8c9706193acd049d3ea112e78e5b404b7b65be9df9c5aa684bef0617ccb84b
MD5 hash:
802b4acebd9a043f99861e2a592f38a5
SHA1 hash:
50e2c1204e982dbabb00a0aee712eecf98d59a18
Link:
https://www.unpac.me/results/92655e76-7e77-408d-88cf-148273086c7d/
SH256 hash:
1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd
MD5 hash:
9262676e408a401848a80d2c8f15895d
SHA1 hash:
780941f40823b186923d52b050d680c2932bff08
Link:
https://www.unpac.me/results/92655e76-7e77-408d-88cf-148273086c7d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2078748/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247705/

Comments