MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1919a6cdebe6a58cdf4ce6748c2caf927998f8e1529ca7df8d831fd429b4190f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1919a6cdebe6a58cdf4ce6748c2caf927998f8e1529ca7df8d831fd429b4190f
SHA3-384 hash: b73c62753ef2bdb72490a8283e9b22123463b384e052a56817507aaf5180c38e5d45262d7061d1661d881e2eb4871c58
SHA1 hash: b709954d1577b70ffd17b204f5c42572c67c1567
MD5 hash: eedec83bdc674b5b482f1e21efbf51e6
humanhash: freddie-nineteen-foxtrot-foxtrot
File name:eedec83bdc674b5b482f1e21efbf51e6
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'115'648 bytes
First seen:2021-10-28 22:53:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18875662b19ade4ddd6bba43f9abb4a3 (12 x RaccoonStealer, 3 x RedLineStealer, 1 x DanaBot)
ssdeep 24576:51P6Iw/2kU+IEzVueyTqwBh7AUiZAozzDA0DMqJdkHYoZqNQM7siflMxe:5Nw/g+rVue/IPhorA0oqQdZqNJgNx
TLSH T1283523F062BEC034D0A7FB31693889545A1E7D61EA5985453738236F1BB4ECC2ED932E
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Fragtor.35416.2589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/479842c8-3eff-4930-9e6b-1b095d907918
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878928
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1919a6cdebe6a58cdf4ce6748c2caf927998f8e1529ca7df8d831fd429b4190f/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 21:41:49 UTC
AV detection:
22 of 44 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dem2ntpl42syzx2m4z2iylfpsj4zr6hbkkokpx4nqmp5iknudehq._file
Verdict:
malicious
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/211028-2vkejahafq/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.192.201:443
192.210.222.88:443
Unpacked files
SH256 hash:
117a3bf50ecd5226ac3c9077b620b58855937579f14c64b04f385ad27b837814
MD5 hash:
8f85fc66845a0be7e7b39537468d77e9
SHA1 hash:
6f1ab3f11e45b334c6181c367c5691805c40570c
Link:
https://www.unpac.me/results/1364d940-c149-40b2-9f68-dca1a5478818/
SH256 hash:
df327cab3f589cccc5eb18b97df2d2e6dd58b61366e76df183710265238c7334
MD5 hash:
c50d42a2fee8efb4173e19680d3a7bbe
SHA1 hash:
98677602eaa8318d18894b75e7acc0bd2c7494f1
Link:
https://www.unpac.me/results/1364d940-c149-40b2-9f68-dca1a5478818/
SH256 hash:
1919a6cdebe6a58cdf4ce6748c2caf927998f8e1529ca7df8d831fd429b4190f
MD5 hash:
eedec83bdc674b5b482f1e21efbf51e6
SHA1 hash:
b709954d1577b70ffd17b204f5c42572c67c1567
Link:
https://www.unpac.me/results/1364d940-c149-40b2-9f68-dca1a5478818/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1919a6cdebe6a58cdf4ce6748c2caf927998f8e1529ca7df8d831fd429b4190f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 1919a6cdebe6a58cdf4ce6748c2caf927998f8e1529ca7df8d831fd429b4190f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1724535/

Comments


Avatar
zbet commented on 2021-10-28 22:53:28 UTC

url : hxxp://45.138.172.114/sameini.exe