MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 396df71a540c8b5101d47c289bd064288ae2e1b53335cc5de2cab2a872ff9ce6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 396df71a540c8b5101d47c289bd064288ae2e1b53335cc5de2cab2a872ff9ce6
SHA3-384 hash: 44591adf8113a05346cc8a1986c12e43c4d5bb7a627322acceeace58320431d9e12b429d384f345d89459c96cc46ade5
SHA1 hash: f90d114e8672caa5ff4e98fb92ad786094450a56
MD5 hash: cc55b7877737c052e14c380b468d98fe
humanhash: eight-massachusetts-papa-sierra
File name:cc55b7877737c052e14c380b468d98fe.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'179'648 bytes
First seen:2021-08-17 14:21:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35155166d938a506dc8c83222d11c045 (2 x RedLineStealer, 1 x DanaBot)
ssdeep 24576:LJvGqyYJW1L1NLbt1EgcJExHyAW6xNyPIS7HGMQRc/Qyhwzb3lq351L7zF6Ulz:XWtnt1EgrHyaqOcfw330P/zF6Ulz
Threatray 4'062 similar samples on MalwareBazaar
TLSH T1AB4512307792C475F4B302B555B987BC64797EB06B6420FBA3D42ADA9A303E49C3178B
dhash icon d824e790c6e72158 (1 x RedLineStealer, 1 x Glupteba, 1 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cc55b7877737c052e14c380b468d98fe.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 14:50:39 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/1c177c3c-c01f-473f-a3b7-fbedf5effe64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180112/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.14942.7662.3900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Sending a UDP request
Sending a custom TCP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d306006-9614-4428-b507-bffcc2d39fff
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834544
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Enables a proxy for the internet explorer
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467058 Sample: TwoglrcqSO.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 35 localhost 2->35 37 8.8.8.8.in-addr.arpa 2->37 43 Found malware configuration 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 10 TwoglrcqSO.exe 1 2->10         started        signatures3 process4 file5 33 C:\Users\user\Desktop\TWOGLR~1.EXE.tmp, PE32 10->33 dropped 59 Detected unpacking (changes PE section rights) 10->59 14 rundll32.exe 2 10->14         started        signatures6 process7 dnsIp8 41 23.229.29.48, 443, 49704 SERVER-MANIACA Canada 14->41 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->61 63 Bypasses PowerShell execution policy 14->63 18 rundll32.exe 10 23 14->18         started        signatures9 process10 dnsIp11 39 127.0.0.1 unknown unknown 18->39 31 C:\Users\user\AppData\...\tmp2C2.tmp.ps1, ASCII 18->31 dropped 51 System process connects to network (likely due to code injection or exploit) 18->51 53 Tries to harvest and steal browser information (history, passwords, etc) 18->53 55 Sets a proxy for the internet explorer 18->55 57 Enables a proxy for the internet explorer 18->57 23 powershell.exe 17 18->23         started        25 powershell.exe 10 18->25         started        file12 signatures13 process14 process15 27 conhost.exe 23->27         started        29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/396df71a540c8b5101d47c289bd064288ae2e1b53335cc5de2cab2a872ff9ce6/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 14:22:26 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfw7ogsubsfvcaoupqujxudefcfofynvgm24yxpczkzkq4x7ttta._file
Verdict:
malicious
Similar samples:
053542bbd9ab3b0436469e6d6ae5ff0b72e55f882a08e23d8ab481e1357d9528
DanaBot
3f7ef3fcc9141ed9a7d7620c90325356956947add46038ece8167d8c5028273e
DanaBot
4773c2edf97089e1ea3108cb675777b870020f5e3082dec8a89a3bc5a2297c1c
DanaBot
58dd074be5e51ca44f0c67ed712b3bb7a1afe1723adccdf3491636fef7cf1a2d
DanaBot
a04cd9695517c7281ffa730523fc49c272dc3d5171745d46e5dd14481a9dcd4c
DanaBot
ac783ad55fbc3133892c6df4490d701b9493020971c95dae47983721115d6842
DanaBot
bdd0c7cbefda7e06ae77b73b86f97ce92ec35be89de53681f6aa9c8b6f1467d0
DanaBot
c252d146aa7c269b0db0a7c05f094da93234e6ace6ad52bd33860edd4127b6eb
DanaBot
caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4
DanaBot
e83e6702c3b59f275981161db3eabdb589051a4d36ad2d74c34a8fc45cb31a30
DanaBot
+ 4'052 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210817-32j9zjgs6x/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.229.29.48:443
152.89.247.31:443
192.210.222.81:443
Unpacked files
SH256 hash:
0afd3f920ff5be407c344269f24f67b66e466746a7cb1fb4ef6ed204d98baf39
MD5 hash:
66bc8023c1b3103c71ed6b191e62caf7
SHA1 hash:
d5b5b5c0b9f0a7036e0d9f38777aaa3baa8b2f51
Link:
https://www.unpac.me/results/d163127e-08f0-4b23-86bc-a5e0f20deaf7/
SH256 hash:
b7d423d01cd8650639e51870db62a96fd16fc54cbe8f6161bb1ce5f76f0b0b56
MD5 hash:
fba97f11a20fc998239b600f5f431ee6
SHA1 hash:
31412aa15a1ed55f4022f3e38db3f6210b265dd9
Link:
https://www.unpac.me/results/d163127e-08f0-4b23-86bc-a5e0f20deaf7/
SH256 hash:
396df71a540c8b5101d47c289bd064288ae2e1b53335cc5de2cab2a872ff9ce6
MD5 hash:
cc55b7877737c052e14c380b468d98fe
SHA1 hash:
f90d114e8672caa5ff4e98fb92ad786094450a56
Link:
https://www.unpac.me/results/d163127e-08f0-4b23-86bc-a5e0f20deaf7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/396df71a540c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/396df71a540c8b5101d47c289bd064288ae2e1b53335cc5de2cab2a872ff9ce6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 396df71a540c8b5101d47c289bd064288ae2e1b53335cc5de2cab2a872ff9ce6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1495647/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1490082/
Cape
Cape
https://www.capesandbox.com/analysis/180112/

Comments