MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0
SHA3-384 hash: bbbfa3ee2eebd3a9605d7a6afb3ff3cb902af6cf13e7f8d667547f2d1228d4b086106daf90f74aadba29153388b4d944
SHA1 hash: 22f3141bf95d5369ea5d1843f5521318c433a685
MD5 hash: 2262dc2d65995ab90eb29107f406c3fa
humanhash: romeo-maine-october-gee
File name:databot.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'158'656 bytes
First seen:2021-06-16 14:01:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 89acf2f0d2a3019760d9233e714933ef (1 x DanaBot)
ssdeep 24576:8KLU7dT87jivsPPBOAhICaKN7r9zI7kvrtjhgq6:M8PbPBFICF1pTtjm
Threatray 2'008 similar samples on MalwareBazaar
TLSH 8B350210A3B1C039F0FA53F819A5D675B63A3EB0976480CB62D62BFA97245E4EC31357
Reporter 0x746f6d6669
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
databot.exe
Verdict:
Malicious activity
Analysis date:
2021-06-16 14:02:49 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/e3e2093a-d1b2-47af-ac2d-0e51cdb4f502

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-9872492-0
Create hunting rule

Win.Malware.Generic-9872493-0
Create hunting rule

Win.Packed.Raccoon-9872605-0
Create hunting rule

Win.Malware.Generic-9872608-0
Create hunting rule

Win.Malware.Generic-9872713-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Modifying an executable file
Enabling the 'hidden' option for analyzed file
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34897351-e278-4912-b371-1f4ecc1f8267
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/803111
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 14:01:11 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gett7iyw3qpoed5femu5gkb24cptsi4loteqaerwmsc3sc5qg6ya._file
Verdict:
malicious
Similar samples:
08bb07f4182f8cc6c6460af9f9e268e0fb6323a2227388c42d06d801201f767d
DanaBot
26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4
DanaBot
2f780fc849c91fb3552908c9047e69cb5016ef154e6ca87ca412d79079eae85c
DanaBot
4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55
DanaBot
5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec
DanaBot
aca06c84c79542c68aee34141e53d43e865d9d0cce2fab122270cf7c230dca77
DanaBot
b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f
DanaBot
cd59f70eea8a47b46a830960b6dec4113835b44364d404ee4cd1b750964233c2
DanaBot
eb2f15018cb74ad0c97044c7687df83445d45d6752104b0cbc9fad9ed22813be
DanaBot
f279bd873b230e7a9743fd03d89b9dcee87d8f29152e234c8478bd578807ec74
DanaBot
+ 1'998 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210616-ld4m47p63j/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
6d1d4ebda4bc17eb60fdd232a84dc599a345b394717be9314b8e61275ab3b800
MD5 hash:
024a47965b02eb51f86deeb23e60eaef
SHA1 hash:
58d3bb6ca300a95d359153829609e3136605dc39
Link:
https://www.unpac.me/results/6255c819-6488-40cc-b20f-852825c95650/
SH256 hash:
7997e88596bcbb27666e9bfe29d228207c50303183981dc65374e43e01bc9f02
MD5 hash:
670b5593e575e1cc2636f14c01b16954
SHA1 hash:
e7f558232f6b35ae6d3945d15af8830264328252
Link:
https://www.unpac.me/results/6255c819-6488-40cc-b20f-852825c95650/
SH256 hash:
31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0
MD5 hash:
2262dc2d65995ab90eb29107f406c3fa
SHA1 hash:
22f3141bf95d5369ea5d1843f5521318c433a685
Link:
https://www.unpac.me/results/6255c819-6488-40cc-b20f-852825c95650/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 31273fa316dc1ee20fa52329d3283ae09f39238b74c90012366485b90bb037b0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1338483/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1271412/

Comments