MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b66defbea4f416df3e25f4289193c9eb5e5fb8f57c3a0c679980b9bb4605dcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1b66defbea4f416df3e25f4289193c9eb5e5fb8f57c3a0c679980b9bb4605dcc
SHA3-384 hash:	51b4a600870bc4e1d9cd16c22da7a62ee590493a08e90ea34ff631e2fd28abcba550e9303a68328e2b810121cb80c4ca
SHA1 hash:	41d1dba0618e06bcf84ef9b75b9c6a0fc465cd6a
MD5 hash:	d187b3090459a7b56d8c8d3f34ceed5c
humanhash:	speaker-emma-summer-don
File name:	d187b3090459a7b56d8c8d3f34ceed5c.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'836'032 bytes
First seen:	2021-11-18 19:58:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9abf03d4e22c0a12cb29c8d67fb192e4 (3 x Smoke Loader, 2 x RaccoonStealer, 1 x DanaBot)
ssdeep	24576:/uvVuc0qqCJwy/3EL+8Kwz1X04LiyrjXkIqN0YId3X66gzrMF9EnbvLEgShjT0xt:/uvVuKwbq7wBX0ujXkF+gzr9nbvL0T3
Threatray	7'322 similar samples on MalwareBazaar
TLSH	T1A3852304B7A1C03AF1F245F85DB68368BA3E39E1637995CB11D206EE89256D4ECB2707
File icon (PE):
dhash icon	badacaaecee6baa2 (3 x RedLineStealer, 2 x RaccoonStealer, 2 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

453

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d187b3090459a7b56d8c8d3f34ceed5c.exe

Verdict:

Malicious activity

Analysis date:

2021-11-18 20:05:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eacc9779-24ff-4b0e-95ac-cd36f27d01df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/207386/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6196b0502695a62af9f343cf/reports/3368a02a-5b0b-4184-b564-43f39919f969/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/28e392af-0518-456f-99b8-8105e67b428c

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/892263

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b66defbea4f416df3e25f4289193c9eb5e5fb8f57c3a0c679980b9bb4605dcc/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2021-11-18 19:59:06 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dntn567kj5aw347cl5bisgj4t226l64pk7b2brtztafzxndalxga._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211118-yptt8sadg2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

192.119.110.73:443
192.236.192.201:443

Unpacked files

SH256 hash:

d92bffb7e824f088219ae6e3467b6bb7602144dd9449018a4d15adffbd47df48

MD5 hash:

3c8ccecf838036d5207534ed0d7b766a

SHA1 hash:

3f77ae96761b9f8a3d130729ad523a385e5b8440

Link:

https://www.unpac.me/results/cc04df0c-5447-439f-9fe9-ca1e0853a758/

SH256 hash:

c0f1b64e7be951a7fb0953441ae53703d57de5673f610ecb7b507193cddaf5c1

MD5 hash:

481017cbff2b4d7f53d8fb1d49eef909

SHA1 hash:

1417557a49431d925ea3411bca325b4abcb5d109

Link:

https://www.unpac.me/results/cc04df0c-5447-439f-9fe9-ca1e0853a758/

SH256 hash:

1b66defbea4f416df3e25f4289193c9eb5e5fb8f57c3a0c679980b9bb4605dcc

MD5 hash:

d187b3090459a7b56d8c8d3f34ceed5c

SHA1 hash:

41d1dba0618e06bcf84ef9b75b9c6a0fc465cd6a

Link:

https://www.unpac.me/results/cc04df0c-5447-439f-9fe9-ca1e0853a758/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b66defbea4f416df3e25f4289193c9eb5e5fb8f57c3a0c679980b9bb4605dcc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 1b66defbea4f416df3e25f4289193c9eb5e5fb8f57c3a0c679980b9bb4605dcc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1772785/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/207386/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample