MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4211d050b1ddd3aa251ebe2abff1d9983d3054a1b8a8748e6bc7d518b75dffc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4211d050b1ddd3aa251ebe2abff1d9983d3054a1b8a8748e6bc7d518b75dffc4
SHA3-384 hash: 1fc2e99103edfe31014c8c20ebdb7725b31c4d469de31f0c49692b05336ad4b17b868df3d9a116b5588298a689075af8
SHA1 hash: 312136167227c9e193e2d955cba4d6c584b1c079
MD5 hash: 818b19e4d6f7b2a5be69f8187d21f767
humanhash: single-nuts-batman-pizza
File name:818b19e4d6f7b2a5be69f8187d21f767
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'241'088 bytes
First seen:2021-10-09 13:05:50 UTC
Last seen:2021-10-09 13:48:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00fd8f9df5011cab2288218d305583b5 (2 x DanaBot, 1 x Smoke Loader, 1 x CryptBot)
ssdeep 24576:ixXxF8FdIowafze8NgdvZ1+piaEi78HQj4KvVGhMQ3Vb0Bj:mkFTO3P+waf8e4Kv4yQ3V
TLSH T11D450214BBA0D039F5FF96B4497A8268E82E79A16B3494CB63F016DD4739AC1DC38347
File icon (PE):PE icon
dhash icon 9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
818b19e4d6f7b2a5be69f8187d21f767
Verdict:
Malicious activity
Analysis date:
2021-10-09 13:08:21 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/9c0e8113-be94-42a0-85c0-1a3f5d167c09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196295/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.31678.2991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware packed
Link:
https://www.filescan.io/uploads/616193c5bed58a3c109f5c1f/reports/8efc6dd7-c723-4835-a434-38dc7186f052/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4211d050b1ddd3aa251ebe2abff1d9983d3054a1b8a8748e6bc7d518b75dffc4/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-09 12:07:31 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  1/5
Verdict:
malicious
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211009-qb5etafbg6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Blocklisted process makes network request
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
142.11.242.31:443
192.119.110.73:443
192.210.222.88:443
Unpacked files
SH256 hash:
038e807e2d59ae393f56c96c938fd3e11202ae8932f0b28b340c63d1eff9d218
MD5 hash:
304418d2e56c9452c00da0368bd050ce
SHA1 hash:
6b3f823ffb351aae027caad9378e6c15eeb46b61
Link:
https://www.unpac.me/results/1f39f85f-3f9c-435e-953f-b93365197583/
SH256 hash:
4211d050b1ddd3aa251ebe2abff1d9983d3054a1b8a8748e6bc7d518b75dffc4
MD5 hash:
818b19e4d6f7b2a5be69f8187d21f767
SHA1 hash:
312136167227c9e193e2d955cba4d6c584b1c079
Link:
https://www.unpac.me/results/1f39f85f-3f9c-435e-953f-b93365197583/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4211d050b1dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4211d050b1ddd3aa251ebe2abff1d9983d3054a1b8a8748e6bc7d518b75dffc4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 4211d050b1ddd3aa251ebe2abff1d9983d3054a1b8a8748e6bc7d518b75dffc4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1660814/
  
URLhaus
https://urlhaus.abuse.ch/url/1640605/
Cape
Cape
https://www.capesandbox.com/analysis/196295/

Comments


Avatar
zbet commented on 2021-10-09 13:05:51 UTC

url : hxxp://88.99.21.170/root.exe