MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2628c0e7347bd706341c56a0fbe0574502dfa01d20efa2bad39c98fd48e1e4e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2628c0e7347bd706341c56a0fbe0574502dfa01d20efa2bad39c98fd48e1e4e4
SHA3-384 hash: 359798a12f4be54d55bca1446015743a9badecc7291a6a9af005331483d8aad5af10a6e0ff1a34f6f909f753cdf1da50
SHA1 hash: 49298cae3c0945e5bdb016010a913e60f5bf163c
MD5 hash: 9a4a6912c1c3b454fadb56a59c23f068
humanhash: quiet-sweet-quiet-march
File name:9a4a6912c1c3b454fadb56a59c23f068
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'083'904 bytes
First seen:2021-07-19 17:26:43 UTC
Last seen:2021-07-19 17:36:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60dca3ce0efd49409d1dcd0dd66924fc (1 x DanaBot, 1 x RedLineStealer, 1 x CryptBot)
ssdeep 24576:HShtOSlXIRtKmSiCd+3shLqVAe+T9nnSiZmy:HSrqVSiCo3oo8nRm
Threatray 2'712 similar samples on MalwareBazaar
TLSH T1B5352310B9929833E8F2493424F5D1A62C3FFC31297A9A4A76C876DF3E720C1A59D753
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9a4a6912c1c3b454fadb56a59c23f068
Verdict:
Malicious activity
Analysis date:
2021-07-19 17:28:27 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/7cbbaa9a-a42c-4901-9f8c-5e16a3b73eb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Blackrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172626/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.23192.19596.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14d4ca30-d663-4fb9-87c7-f9253a00ca73
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818445
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450856 Sample: jpVN8Lbg2x Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for dropped file 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Machine Learning detection for sample 2->60 62 Sigma detected: Suspicious Script Execution From Temp Folder 2->62 9 jpVN8Lbg2x.exe 1 2->9         started        process3 file4 44 C:\Users\user\Desktop\JPVN8L~1.EXE.tmp, PE32 9->44 dropped 74 Detected unpacking (changes PE section rights) 9->74 76 Detected unpacking (overwrites its own PE header) 9->76 13 rundll32.exe 2 9->13         started        signatures5 process6 dnsIp7 50 142.11.244.124, 443, 49745, 49758 HOSTWINDSUS United States 13->50 78 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->78 80 Bypasses PowerShell execution policy 13->80 82 Uses schtasks.exe or at.exe to add and modify task schedules 13->82 17 rundll32.exe 10 25 13->17         started        signatures8 process9 dnsIp10 46 127.0.0.1 unknown unknown 17->46 48 192.168.2.1 unknown unknown 17->48 42 C:\Users\user\AppData\...\tmpB191.tmp.ps1, ASCII 17->42 dropped 64 System process connects to network (likely due to code injection or exploit) 17->64 66 Tries to harvest and steal browser information (history, passwords, etc) 17->66 68 Sets a proxy for the internet explorer 17->68 70 Enables a proxy for the internet explorer 17->70 22 powershell.exe 15 17->22         started        25 powershell.exe 17 17->25         started        27 schtasks.exe 17->27         started        29 schtasks.exe 17->29         started        file11 signatures12 process13 signatures14 72 Uses nslookup.exe to query domains 22->72 31 nslookup.exe 22->31         started        34 conhost.exe 22->34         started        36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        40 conhost.exe 29->40         started        process15 dnsIp16 52 localhost 31->52 54 8.8.8.8.in-addr.arpa 31->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2628c0e7347bd706341c56a0fbe0574502dfa01d20efa2bad39c98fd48e1e4e4/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 17:27:04 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eyumbzzupplqmna4k2qpxycxiubn7ia5edx2fowttsmp2shb4tsa._file
Verdict:
unknown
Similar samples:
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
DanaBot
1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666
DanaBot
2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac
DanaBot
3c62996e0dc98bf3e9ebbdcf8c89f47429fa7a0285ddcd665923b70b06d4586a
DanaBot
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
DanaBot
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
DanaBot
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
DanaBot
c38669f38d4b4f1e1d6881adfee332a4f5e8a1c62a630642100b340426e4e97a
DanaBot
c76a9b5f3a1d4456cf2fe90c115f808e4a53f04a5520eabd945af7d41c44b986
DanaBot
dab48eb20191f37e19aed12dc58640ab40957cec26dc3fa63a88f70decbd875c
DanaBot
+ 2'702 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210719-vke1drpktn/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
142.11.244.124:443
142.11.206.50:443
Unpacked files
SH256 hash:
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
MD5 hash:
7421975d09f0de9fc505ba95c37e5794
SHA1 hash:
052e5981f44c5451d896f6383df93bcdf5235fe5
Link:
https://www.unpac.me/results/27fcd76c-2746-421e-b83a-021c529d82b5/
SH256 hash:
a344cd2becc4fb060c148ba3d1e690071702a808bca0eb153e05cdf71e08e5f6
MD5 hash:
ea3d676924cc43b5f66d58768004e64a
SHA1 hash:
bb6ba09a24fbb961deec947c3326148c99e0f370
Link:
https://www.unpac.me/results/27fcd76c-2746-421e-b83a-021c529d82b5/
SH256 hash:
2628c0e7347bd706341c56a0fbe0574502dfa01d20efa2bad39c98fd48e1e4e4
MD5 hash:
9a4a6912c1c3b454fadb56a59c23f068
SHA1 hash:
49298cae3c0945e5bdb016010a913e60f5bf163c
Link:
https://www.unpac.me/results/27fcd76c-2746-421e-b83a-021c529d82b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2628c0e7347bd706341c56a0fbe0574502dfa01d20efa2bad39c98fd48e1e4e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 2628c0e7347bd706341c56a0fbe0574502dfa01d20efa2bad39c98fd48e1e4e4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1461110/
Cape
Cape
https://www.capesandbox.com/analysis/172626/

Comments


Avatar
zbet commented on 2021-07-19 17:26:44 UTC

url : hxxp://5.9.224.200/cvhost.exe