MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 250b9761ab777e85962f8071404ce9a5a63b74b11bf9c86791e0bd1b0fc34fd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 250b9761ab777e85962f8071404ce9a5a63b74b11bf9c86791e0bd1b0fc34fd3
SHA3-384 hash: a7a94874dd7bfc47e11839d9585c00f7a04949052bf6480228b1e8979afb4fb26c626ed575679c8faabaa1739530de3f
SHA1 hash: 3052efa1b1764794dc7c8cf7ee9dc31898d6434b
MD5 hash: e427cb3534ba5328d05f5fe00e71943c
humanhash: zulu-arizona-beryllium-may
File name:SecuriteInfo.com.W32.AIDetect.malware1.9937.2226
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'267'392 bytes
First seen:2021-05-03 16:00:37 UTC
Last seen:2021-05-03 17:05:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e282e474b4b570377c09595ac5d79ff9 (2 x DanaBot, 1 x ArkeiStealer, 1 x CryptBot)
ssdeep 98304:sRlynyGrzNfye3p+Q0jzTojG+Cp8/oTi57J3yu0CebBQOUOwDWtUqhsZWUx:sRlyyG1V3pc/TQG+o8/oTi3y0elnURDH
TLSH 60563321AA90C034F57B02F88DF851799A1C3DB2C37064CB22D55ADD57726E9EC3A36B
Reporter SecuriteInfoCom
Tags:DanaBot

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.9937.2226.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Modifying an executable file
Changing a file
Creating a file in the %temp% directory
Sending a custom TCP request
Sending a TCP request to an infection source
Infecting executable files
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/708255
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/250b9761ab777e85962f8071404ce9a5a63b74b11bf9c86791e0bd1b0fc34fd3/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 16:01:08 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eufzoynlo57ilfrpqbyuathjuwtdw5frdp44qz4r4c6rwd6dj7jq._file
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210503-wbcswwz1kj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
23.106.123.185:443
192.210.198.12:443
192.236.147.83:443
37.220.31.94:443
Unpacked files
SH256 hash:
70a5cc7c6c0383d735a71b6d54aa9414aae2bc628e93eb26c4f20f221fddb4d4
MD5 hash:
e9cc649b15b438d1eedfa386498a44e4
SHA1 hash:
cbf2f033c62cb781b1f60cad67068909db50eb3f
Link:
https://www.unpac.me/results/24eaa2dd-80d8-4fdf-88b8-71c26a2472cb/
SH256 hash:
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
MD5 hash:
ce2816dd27b6f679acfbfbad58c5ac6e
SHA1 hash:
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c
Link:
https://www.unpac.me/results/24eaa2dd-80d8-4fdf-88b8-71c26a2472cb/
SH256 hash:
598bc6c653050dba57842117c3dd1b980802f69def82453e163208f60cc5cad0
MD5 hash:
a371f7c5df584cc5db760f6643210c0d
SHA1 hash:
f0532a3fab6ff8d13ac88542c6f8cb847462a0d9
Link:
https://www.unpac.me/results/24eaa2dd-80d8-4fdf-88b8-71c26a2472cb/
SH256 hash:
250b9761ab777e85962f8071404ce9a5a63b74b11bf9c86791e0bd1b0fc34fd3
MD5 hash:
e427cb3534ba5328d05f5fe00e71943c
SHA1 hash:
3052efa1b1764794dc7c8cf7ee9dc31898d6434b
Link:
https://www.unpac.me/results/24eaa2dd-80d8-4fdf-88b8-71c26a2472cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/250b9761ab777e85962f8071404ce9a5a63b74b11bf9c86791e0bd1b0fc34fd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 250b9761ab777e85962f8071404ce9a5a63b74b11bf9c86791e0bd1b0fc34fd3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1167028/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1187911/

Comments