MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d
SHA3-384 hash: 45bc7118fb3bc265b7ca4b2183543e8cd90a8a1dc03bc1b444861c15d4d189457cbba5855524277a2b9aa998896ef898
SHA1 hash: 2d5a12ef12b560d3bb634fa37d78951169113949
MD5 hash: f601ad405d65674d3fdd6d9625770487
humanhash: steak-ohio-neptune-shade
File name:f601ad405d65674d3fdd6d9625770487.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'170'432 bytes
First seen:2022-01-09 09:13:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc208b4d6c8be269ff70449d0d62610c (1 x DanaBot, 1 x OnlyLogger)
ssdeep 24576:iPrfoz2Awl3QcVjn1jJ4Bxj84Lv4oWKuen:WoaFRQcN1mBwTe
Threatray 483 similar samples on MalwareBazaar
TLSH T196452306D9E5C431CDFA9AB006A6CAD3AD3F7D0227416267938C02AF3F13945AB75F16
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
598
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f601ad405d65674d3fdd6d9625770487.exe
Verdict:
Malicious activity
Analysis date:
2022-01-09 09:15:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d53b46ee-9e98-418c-9a0e-29b034a83a85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217881/
Detection(s):
Win.Dropper.Tofsee-9919472-0
Create hunting rule

Win.Dropper.Lockbit-9919572-0
Create hunting rule

Win.Malware.Stopcrypt-9933337-0
Create hunting rule

Win.Dropper.Tofsee-9934046-0
Create hunting rule

Win.Dropper.Tofsee-9934861-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3905/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed tofsee
Link:
https://www.filescan.io/uploads/61daa75d1c0d769df9db2359/reports/be69e088-4b3f-4f6c-9d2a-c465f95e81b7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47a45b06-8159-4f8a-88aa-9abe79fea87d
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917268
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 09:14:14 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
DanaBot
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
DanaBot
972b6465a8dd0ff9e1ec5354c9b6d028f71b0505dcd3388f5edf9976071708c2
DanaBot
a4b1ad9683d5208a4cef9cd3aa5a055007e88d9f712163ea599feb23f6f43e0c
DanaBot
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
DanaBot
a5a58e9c4804f19ff134799163899559a71ee942c9a77aeefa5983223f6fe34e
DanaBot
a6f23f333a1c8eab33961660887f4ebb84f12451db4d8f94c1c01fe5dca71ae8
DanaBot
aaba33fbea2a90c26205589be2807c7f04b571e5b410b06bc6555224392e18e7
DanaBot
d7199616185a4d6187eb375c778dd4e5327df6a5e51018770addb54705732d88
DanaBot
+ 473 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker trojan
Link:
https://tria.ge/reports/220109-k7bvgsdggn/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
192.119.110.4:443
103.175.16.113:443
Unpacked files
SH256 hash:
7f0d4abb09bb49251f1bdadd8ad47a2eab588e37ce0f061e2fa000157936c8c3
MD5 hash:
e89e8400a8283c0d06f11b57762d4dd0
SHA1 hash:
be228f09cd7df5985e1eb2a8d7e3b0047b053ac1
Link:
https://www.unpac.me/results/09241d1e-ef93-46e6-a45a-203a9e8a6987/
SH256 hash:
b17c66f24fb293959a5e5cdb0ce91c573c2da5ac1b57c0c084966749a2e9a8b6
MD5 hash:
a106f22f95d9725bccf5e1c9f5456e78
SHA1 hash:
cf5355841c04e2535a3877866e14290e3f39278b
Link:
https://www.unpac.me/results/09241d1e-ef93-46e6-a45a-203a9e8a6987/
SH256 hash:
2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d
MD5 hash:
f601ad405d65674d3fdd6d9625770487
SHA1 hash:
2d5a12ef12b560d3bb634fa37d78951169113949
Link:
https://www.unpac.me/results/09241d1e-ef93-46e6-a45a-203a9e8a6987/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 2a009cecbb0b5f61ac6956e12a8ffd880a5c6c5fcce207d48a39dec829daff6d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1957950/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1959547/
Cape
Cape
https://www.capesandbox.com/analysis/217881/

Comments