MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c94046bb5594620da42643328011854ddc455c8eca7973a188acd5fbec27655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1c94046bb5594620da42643328011854ddc455c8eca7973a188acd5fbec27655
SHA3-384 hash:	6b3355e3e680a7ff4e4458cf2417ea8c0af8d60ae69caaa59c2f63db1d023e5b0408c51b728483936c3dc920e17c5bff
SHA1 hash:	3867c8c6fda468d6035cf1d966f4991b0df5b5f6
MD5 hash:	b9c425eb7459450b0dd1d0aac6dd1e77
humanhash:	july-oxygen-illinois-hotel
File name:	b9c425eb7459450b0dd1d0aac6dd1e77.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'211'392 bytes
First seen:	2021-10-06 09:27:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	af44dcafed165daab29f132f710193c2 (6 x RaccoonStealer, 2 x RedLineStealer, 1 x Tofsee)
ssdeep	24576:N7hUrNRJG4MTmbRvAHAorbzDA8gwUV96BYmGWb+O/nMuv:Apf9x2rTA2Boy+Op
Threatray	6'014 similar samples on MalwareBazaar
TLSH	T13845123067A0C035F4B716B855B9A374A5393EB19BB460CFA2D126FA4A385E5FC31387
File icon (PE):
dhash icon	e8f8e8e8aa66a499 (5 x RaccoonStealer, 4 x ArkeiStealer, 3 x RedLineStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

446

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/195412/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/615d6c26e3d213d202b8574a/reports/de22d962-ed8a-45ae-bc42-fa66d23a79aa/overview

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee2f8d13-47d6-4070-b7d1-ac98fcefa364

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/865431

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c94046bb5594620da42643328011854ddc455c8eca7973a188acd5fbec27655/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-10-06 09:28:07 UTC

AV detection:

24 of 45 (53.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dskai25vlfdcbwscmqzsqaiykto4ivoi5stzooqyrlgv7pwcozkq._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery spyware stealer trojan

Link:

https://tria.ge/reports/211006-lfb7lsbbfp/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

142.11.242.31:443
192.119.110.73:443
192.210.222.88:443

Unpacked files

SH256 hash:

27961c3941760ce877c7003cf8275757903e549c92371a98146b5ba2f3bfac24

MD5 hash:

0812d604a9056f68ccdd29264dd76c67

SHA1 hash:

904e11b6dbb6a22c1181e39d0c78b4d2fc57077d

Link:

https://www.unpac.me/results/c6daf3a0-ca2d-49d6-8b38-f90a026e2350/

SH256 hash:

8032199011ac6610a247281fef83b27ad6830a5042818189a77fb93570e53da7

MD5 hash:

0a76e4226aa1245ec00f7b6fe38e96c5

SHA1 hash:

0f8d7fbc050c1f46e1b344f4b58912acef39a4b8

Link:

https://www.unpac.me/results/c6daf3a0-ca2d-49d6-8b38-f90a026e2350/

SH256 hash:

1c94046bb5594620da42643328011854ddc455c8eca7973a188acd5fbec27655

MD5 hash:

b9c425eb7459450b0dd1d0aac6dd1e77

SHA1 hash:

3867c8c6fda468d6035cf1d966f4991b0df5b5f6

Link:

https://www.unpac.me/results/c6daf3a0-ca2d-49d6-8b38-f90a026e2350/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1c94046bb5594620da42643328011854ddc455c8eca7973a188acd5fbec27655

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 1c94046bb5594620da42643328011854ddc455c8eca7973a188acd5fbec27655

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/195412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample