MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b44d2ea5d9c58321bd71a37c657d2b9d9f559db6d2b768d0b265b2c1a22070c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b44d2ea5d9c58321bd71a37c657d2b9d9f559db6d2b768d0b265b2c1a22070c
SHA3-384 hash: 72893016d36202f1dd250aab6d9f557f74c4db501414858f2acd808aa99d9f61d445b44c5480310cbc2bd73eae7b2909
SHA1 hash: 0043699d452caf333cf2eb5e3cc1198ee4754b33
MD5 hash: 4db7eb28029846ea78925a192dd837ae
humanhash: vermont-bulldog-beer-jersey
File name:4db7eb28029846ea78925a192dd837ae
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'250'343 bytes
First seen:2021-10-10 17:42:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:gZv7yvip4uvN6rsx86wx40k7l9nrEk0OtIksy7KyncYAm1HW2ggnz+r+bWLxHi6l:g0usrXD4dR9Ak0OakzFAm1HdnyVYq5
Threatray 6'198 similar samples on MalwareBazaar
TLSH T1445633C3A7BD9032E6271FBC9835EC924B763D2BDC31565E1507206D13B89A0A13AF93
File icon (PE):PE icon
dhash icon a2a28e968a8e8e00 (3 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4db7eb28029846ea78925a192dd837ae
Verdict:
No threats detected
Analysis date:
2021-10-10 17:43:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb840079-8031-4b56-a362-16241099dca4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196408/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cobra overlay packed razy virus
Link:
https://www.filescan.io/uploads/616326281c2d58ba74fff638/reports/79c60c92-6b55-42e7-85db-704690e1f608/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b44d2ea5d9c58321bd71a37c657d2b9d9f559db6d2b768d0b265b2c1a22070c/
Threat name:
Win32.Trojan.SelfDel
Create hunting rule
Status:
Malicious
First seen:
2021-10-10 17:43:06 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0822897c3336073faf73fa391193ea15f55de51aa36d63433a9e794127c34576
DanaBot
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
DanaBot
5096923b747f0cc35c156149f19587b53d62a111835ba0e0438b0c2ffbec2224
DanaBot
81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
DanaBot
9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3
DanaBot
aa88fc6977bf02c959ffa6865b99eeee8c1735001f824d1bbcc4ff01d93fbb74
DanaBot
b0884a21366325f9e9242b357e7f3d5acf63b7b38e02988e1c1f3454230b5877
DanaBot
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
DanaBot
e917d16aa3c2d421903d598a6c993da5e76ea3e393e460af5c8d6388a3c3c95f
DanaBot
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
DanaBot
+ 6'188 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211010-waklxagafp/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
192.119.110.73:443
142.11.242.31:443
192.210.222.88:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b44d2ea5d9c58321bd71a37c657d2b9d9f559db6d2b768d0b265b2c1a22070c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 3b44d2ea5d9c58321bd71a37c657d2b9d9f559db6d2b768d0b265b2c1a22070c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1663350/
Cape
Cape
https://www.capesandbox.com/analysis/196408/

Comments


Avatar
zbet commented on 2021-10-10 17:43:00 UTC

url : hxxp://minets10.top/download.php?file=lv.exe