MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ce9132eae4a8f774aaceb45c3fdb59bf0d8abfe340070b1bb84a0df8e6e794e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ce9132eae4a8f774aaceb45c3fdb59bf0d8abfe340070b1bb84a0df8e6e794e
SHA3-384 hash: 6b482eba765a80b4c18d774124ff47dcaaee44835e8716522c52301219c6872b9ba60d75a5428d4653d42a3853f5dfa5
SHA1 hash: 5fb3ce0bbea874986deb42df6b92d46e04b19518
MD5 hash: 792b82491d601850125d184f8f0c2a10
humanhash: steak-hamper-mexico-nebraska
File name:1ce9132eae4a8f774aaceb45c3fdb59bf0d8abfe34007.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'156'608 bytes
First seen:2022-03-11 21:36:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 406de4076009c796cb18d0fd9ae9b583 (4 x RaccoonStealer, 1 x RedLineStealer, 1 x DanaBot)
ssdeep 24576:QwmNTe2JnV3Z7YPDKAVa8eRS9LMJ2m9xV0uDiXFzC3Y/6Xy/AKp:uxrg+AsTS9LMJnDDiXti3Xy/A2
TLSH T1B9351221B6A0D031F4F329F8997593ACA52EBDE1973450CF52C566EA93389E0EC32717
File icon (PE):PE icon
dhash icon 2dac1378319b9b91 (29 x Smoke Loader, 23 x RedLineStealer, 22 x Amadey)
Reporter abuse_ch
Tags:DanaBot exe


Avatar
abuse_ch
DanaBot C2:
103.144.139.105:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.144.139.105:443 https://threatfox.abuse.ch/ioc/394340/

Intelligence

File Origin
# of uploads :
1
# of downloads :
625
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249737/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8951/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/622bc1030cd58dbd92811aab/reports/97a095cf-75cd-4d0a-bd52-d9ab767c2dcf/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14103740-454f-4f55-b806-87227f53691b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/955297
Signature
Delayed program exit found
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ce9132eae4a8f774aaceb45c3fdb59bf0d8abfe340070b1bb84a0df8e6e794e/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 21:37:12 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dturglvojkhxosvm5nc4h7nvtpynrk76gqahbmn3qsqn7dtopfha._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220311-1ggk2sbdh5/
Behaviour
Checks processor information in registry
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Blocklisted process makes network request
Unpacked files
SH256 hash:
23b1f6b217f7faeea8fa65e321a0be6a3cccb9f23b79930ae495e5f8a1d52c26
MD5 hash:
e57f657444018935b35c04097ffd63c3
SHA1 hash:
1bfcf40c3e1884c488cdd713d4735be8627400ae
Link:
https://www.unpac.me/results/a5e6c10d-ad9d-4fc8-b358-6d537a79e171/
SH256 hash:
1ce9132eae4a8f774aaceb45c3fdb59bf0d8abfe340070b1bb84a0df8e6e794e
MD5 hash:
792b82491d601850125d184f8f0c2a10
SHA1 hash:
5fb3ce0bbea874986deb42df6b92d46e04b19518
Link:
https://www.unpac.me/results/a5e6c10d-ad9d-4fc8-b358-6d537a79e171/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1ce9132eae4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ce9132eae4a8f774aaceb45c3fdb59bf0d8abfe340070b1bb84a0df8e6e794e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 1ce9132eae4a8f774aaceb45c3fdb59bf0d8abfe340070b1bb84a0df8e6e794e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/249737/
  
URLhaus
https://urlhaus.abuse.ch/url/2091081/
  
Delivery method
Distributed via web download

Comments