MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec
SHA3-384 hash: 2d48f48d5df3ef90295ce155a1a83d21ecc3592467a8748bba60eabf82f803eb7c223208f82b7c5500038c92eb1cc9bc
SHA1 hash: cbd9203364e2221e678c600b9d3f27ce661be3e5
MD5 hash: dc0017df1ab6b222fb78a279a5fda28d
humanhash: eight-speaker-muppet-michigan
File name:dc0017df1ab6b222fb78a279a5fda28d
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'176'576 bytes
First seen:2021-09-09 10:08:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e24bbf800b6d1d51ed10fe38980b98f (2 x DanaBot, 1 x ArkeiStealer, 1 x Loki)
ssdeep 24576:ZX1ShwqhcLhNLMMoUamtho992JwuxADFHohvj6EsqqRgA2Z3Pi4ygfcS3h2acD:+wfWUtDoHIWDFusyxvcypcD
Threatray 266 similar samples on MalwareBazaar
TLSH T1BC451220A7D0C031F0BB22F498B593A9A9397DB16F3041CB22D62AEF27765E49D70747
dhash icon d824e790c4e72158 (30 x RaccoonStealer, 18 x RedLineStealer, 16 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
657
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dc0017df1ab6b222fb78a279a5fda28d
Verdict:
Malicious activity
Analysis date:
2021-09-09 10:10:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/51c4bd82-11f8-4fc3-bc59-4048c102180e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186564/
Detection(s):
Win.Packed.Generic-9891606-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Sending a UDP request
Launching a process
Creating a process with a hidden window
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f916cf24-1fe3-4a55-8a30-d2d4ef968f30
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/847988
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec/
Threat name:
Win32.Backdoor.Tofsee
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 09:26:34 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=er5u4mwavcsnjxvbgyxsf6rbj3244i2p7otngtf2oiggw4o2mhwa._file
Verdict:
malicious
Similar samples:
078f9ef51158a0583dc392a8b2d9db4830c3ed9bd7c3e46a96c82046d8b53ba0
DanaBot
423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8
DanaBot
55f0976368822adb482407f46a40dcb9e0f2cc7e874d8b67c2bc82d82f7131e0
DanaBot
5c3162c36576b287b91705301199e60485f31ab98b4bd11e8ed4445b8131cf08
DanaBot
9a4537ed41f8307c11b5c85e70ed82573e3fa7f424178eb7f15c5b4d4d72cde5
DanaBot
ae6ec966a4d2912897da41c2e20296c0cc2ac5b30fd57ee20420bd7212e98042
DanaBot
b97c821707e93e8e535dc3661098e792d55d493a5edbd3f59bfd559c34d7822d
DanaBot
d3657dd474e857255ae3ea6f0faabb6f9a6f7bf77423042e5eb827a9cb72d17a
DanaBot
df03220ee207a1be64e9f25b74a78684ecd00fd75dd3e44e38e2b1678060e8be
DanaBot
f43c76a153e03551456a21ebd15a07017fbabd51a1080752ddb5241f9d599782
DanaBot
+ 256 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery trojan
Link:
https://tria.ge/reports/210909-l6smaabbck/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.229.29.48:443
5.9.224.204:443
192.210.222.81:443
Unpacked files
SH256 hash:
062b951e34460a9641b12e0c6d471f80f13f1d1bff3590b94c5b708f8f1a2266
MD5 hash:
a79acc558ad73ddaadcee89409a8318c
SHA1 hash:
b8f4fded466353f1df45b419d43d451cb9b174fa
Link:
https://www.unpac.me/results/a116979e-9296-435f-b9db-5187b2f7cc7c/
SH256 hash:
93c813d88c0c74b849243951b9c3ea10de1a39f46f83afe657e858c030dc8011
MD5 hash:
442a81f392c3670a4ca96f05e4ae5d07
SHA1 hash:
f3ae92f72a417971efb58ce613a09f549743aea6
Link:
https://www.unpac.me/results/a116979e-9296-435f-b9db-5187b2f7cc7c/
SH256 hash:
247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec
MD5 hash:
dc0017df1ab6b222fb78a279a5fda28d
SHA1 hash:
cbd9203364e2221e678c600b9d3f27ce661be3e5
Link:
https://www.unpac.me/results/a116979e-9296-435f-b9db-5187b2f7cc7c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/247b4e32c0a8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186564/
  
URLhaus
https://urlhaus.abuse.ch/url/1604796/

Comments


Avatar
zbet commented on 2021-09-09 10:08:42 UTC

url : hxxp://23.106.124.163/dbhosts.exe