MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35bb9fb5b4801c32caa7c9b1d178f6a11d88cf849394333d450d9fc36dac0c1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35bb9fb5b4801c32caa7c9b1d178f6a11d88cf849394333d450d9fc36dac0c1f
SHA3-384 hash: 017a4e17939879437a68074423a85cb7b4891de2eed8e15e57e2f7e04a447de1de0b629aac9062e0e38135c5b3c7bcda
SHA1 hash: 38f5365dfe6d9d31d75b5637ddcbdb8db8cb35c6
MD5 hash: 201715e350439f6d19ce61769e5bb8d5
humanhash: sad-venus-sweet-single
File name:201715e350439f6d19ce61769e5bb8d5.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'082'368 bytes
First seen:2022-04-25 15:49:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 912719ee3914a6e565c77461f9cea00d (3 x RedLineStealer, 2 x DanaBot, 1 x Loki)
ssdeep 24576:O9XS2VRSzhqvkJn1s7FmUJz63/wP/r2rNwn5bg4ZvTZ4F3OX:O5S8gEvq1wky63/WWOyAZ4
Threatray 12'036 similar samples on MalwareBazaar
TLSH T1883523013A21813BCCA68AB424B463525CAFBF726B75491A73585536EE363817FF0F36
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
671
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266479/
Detection(s):
Win.Malware.Filerepmalware-9941437-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6266c3335a708c968a01c3ba/reports/e0227cdd-dd09-44d3-b865-a8f1571d5b0c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5ba79fe-55d2-49ea-8df8-2616cc57bc50
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/982548
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to evade debugger and weak emulator (self modifying code)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35bb9fb5b4801c32caa7c9b1d178f6a11d88cf849394333d450d9fc36dac0c1f/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 15:50:11 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gw5z7nnuqaodfsvhzgy5c6hwueoyrt4esokdgpkfbwp4g3nmbqpq._file
Verdict:
malicious
Similar samples:
011cf163f408740dc9c5dc6b14f8e869c90221ba032365786f1fd17e3f17addb
DanaBot
131bc80decadc83b3eabb56fb0f69a715d12bd72a6ef321d0c6ac61db244d62f
DanaBot
6ee73d5e4fa4954957aad95443756f9be8fc1423cb7e83aad87048f7d2d970c0
DanaBot
8acfd843d915a1f12da9bbc0dc543d510be82e60257b99273883b6e55a990d9f
DanaBot
fc462d664059f589615426aaed5f9ec02eba957c4a6538b5fe22a5648a5b2f2e
DanaBot
fd03b9031f45ecee766ffd5f697a5234745eab0f0665620ec4f271536aca69a1
DanaBot
+ 12'026 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220425-s9x5haggej/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Blocklisted process makes network request
Unpacked files
SH256 hash:
2e05ce5d4b4b6f6e85b7bef44f0091d78d1aebfa68adb7f5857562498107b6e8
MD5 hash:
fd6abe05b0aab676985e682bfb480378
SHA1 hash:
c1a334665301c7c433f0a2a6fc55ee42fa6a85ac
Link:
https://www.unpac.me/results/0e8c524f-9ff1-417c-82db-fce238fa8ee6/
SH256 hash:
35bb9fb5b4801c32caa7c9b1d178f6a11d88cf849394333d450d9fc36dac0c1f
MD5 hash:
201715e350439f6d19ce61769e5bb8d5
SHA1 hash:
38f5365dfe6d9d31d75b5637ddcbdb8db8cb35c6
Link:
https://www.unpac.me/results/0e8c524f-9ff1-417c-82db-fce238fa8ee6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35bb9fb5b480/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35bb9fb5b4801c32caa7c9b1d178f6a11d88cf849394333d450d9fc36dac0c1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb
Create hunting rule
Author:@stvemillertime
Description:Searching for PE files with PDB path keywords, terms or anomalies.
Rule name:pdb2
Create hunting rule
Rule name:win_danabot
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 35bb9fb5b4801c32caa7c9b1d178f6a11d88cf849394333d450d9fc36dac0c1f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2163581/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/266479/

Comments