MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d
SHA3-384 hash:	7defa7b6b12cf4102596a7fd3147bdce076043ee6b3270e8461cc233454bf16bed66b7bdf4e5b95a812424b9580f6dcd
SHA1 hash:	056732ccf73a6e3ef5f22e3a058278a57d9c3f51
MD5 hash:	784949d5ab49e5e8783897c2e8cd1815
humanhash:	skylark-hydrogen-north-december
File name:	784949d5ab49e5e8783897c2e8cd1815.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'134'080 bytes
First seen:	2021-07-23 12:22:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c17477c544765db3771d2d95e0ca4bfc (4 x RaccoonStealer, 3 x RedLineStealer, 1 x CryptBot)
ssdeep	24576:4Axpug2kXzLAW9/5CPT67maoqHUFQVl1OzykxQQL:4AhFAW96PEn1OzqQ
Threatray	2'878 similar samples on MalwareBazaar
TLSH	T1DF3523207251C9B6D8C5163258F7DB927A3E7CA25F5CC1472AC25BDF8F30382A46D29D
dhash icon	08b9b2b0e8c18c90 (11 x RaccoonStealer, 3 x RedLineStealer, 2 x DanaBot)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

784949d5ab49e5e8783897c2e8cd1815.exe

Verdict:

Malicious activity

Analysis date:

2021-07-23 12:24:26 UTC

Tags:

trojan danabot stealer

Link:

https://app.any.run/tasks/f983bb99-92a2-4180-9577-6f90ab24c217

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Blackrat

Link:

https://www.capesandbox.com/analysis/173626/

Detection(s):

Win.Malware.Generic-9880784-0

Win.Malware.Generic-9880785-0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27c1883b-7a57-46c5-84b5-c6f04f012a38

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/820750

Signature

Bypasses PowerShell execution policy

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Enables a proxy for the internet explorer

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sets a proxy for the internet explorer

Sigma detected: Suspicious Script Execution From Temp Folder

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d/

Threat name:

Win32.Trojan.Caynamer

Status:

Malicious

First seen:

2021-07-23 12:23:07 UTC

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dbrmnnmn53yfbwymxdzp4aj4hzeqajdj2i2llsmfp4wwyuiu4mwq._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery spyware stealer trojan

Link:

https://tria.ge/reports/210723-57grdfr6as/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Malware Config

C2 Extraction:

142.11.244.124:443
142.11.206.50:443

Unpacked files

SH256 hash:

aaf22f0fb83992b924ada07e7f7353c8cda6a208330aefc1e5127fcccc9e2aea

MD5 hash:

c92a53cc671aa0e174d0697f7b6e35e9

SHA1 hash:

a2dd513e7988b2e2d56b4bede0840093ad2ac4bb

Link:

https://www.unpac.me/results/17aa68ec-5d36-44c3-82f7-303c6588ccd9/

SH256 hash:

5ad39624d62ff1aac9e57571615ce4107a200cb332707295c71c10f350150506

MD5 hash:

cb32e98530e127f82cd2a307c0bec178

SHA1 hash:

3a14cdf0a74fa1dbf2c0af5cc83a02a11dc9b76f

Link:

https://www.unpac.me/results/17aa68ec-5d36-44c3-82f7-303c6588ccd9/

SH256 hash:

1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d

MD5 hash:

784949d5ab49e5e8783897c2e8cd1815

SHA1 hash:

056732ccf73a6e3ef5f22e3a058278a57d9c3f51

Link:

https://www.unpac.me/results/17aa68ec-5d36-44c3-82f7-303c6588ccd9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 1862c6b58deef050db0cb8f2fe013c3e49002469d234b5c9857f2d6c5114e32d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1461110/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1467030/

Cape

https://www.capesandbox.com/analysis/173626/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample