MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8
SHA3-384 hash: f8550eb860a9ec430cb7dbd1698d182583f370c28718058c18ce89ef545cca23949c2534698af39d4f833b0566ca0242
SHA1 hash: 3ab2c92ee7f00e03e267d7899227bed3f9010834
MD5 hash: bb874cb4d90e2708e614bd89ca7df3fd
humanhash: shade-carbon-equal-berlin
File name:bb874cb4d90e2708e614bd89ca7df3fd.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'184'256 bytes
First seen:2021-08-25 15:27:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 535d66f0a9f5169be6dcc4e55997b651 (2 x Smoke Loader, 1 x DanaBot)
ssdeep 24576:hJEjs8qjMhtRZMeLOl8Yy7GZoCFvrTh6v326TQv:0s8TMYOXOGiCFvrT4+j
Threatray 257 similar samples on MalwareBazaar
TLSH T182450230AA91C035F4E306F855BA4278B43E7AB1AB3491CB93D526EE17386E5EC31747
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bb874cb4d90e2708e614bd89ca7df3fd.exe
Verdict:
Malicious activity
Analysis date:
2021-08-25 15:29:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4d33e69-b7fc-493c-bc1c-8bebda20af90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182355/
Detection(s):
Win.Packed.Generic-9888421-0
Create hunting rule

Win.Packed.Generic-9888435-0
Create hunting rule

Win.Packed.Generic-9888452-0
Create hunting rule

Win.Malware.Generic-9888454-0
Create hunting rule

Win.Packed.Generic-9888502-0
Create hunting rule

Win.Packed.Generic-9888526-0
Create hunting rule

Win.Packed.Generic-9888527-0
Create hunting rule

Win.Dropper.Fragtor-9888544-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ef37a3eb-c8b1-46c1-b35a-9d796dbce78f
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839198
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Enables a proxy for the internet explorer
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 471631 Sample: wAUFbseSEF.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 41 localhost 2->41 43 8.8.8.8.in-addr.arpa 2->43 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected DanaBot stealer dll 2->53 55 4 other signatures 2->55 10 wAUFbseSEF.exe 1 2->10         started        signatures3 process4 file5 39 C:\Users\user\Desktop\WAUFBS~1.EXE.dll, PE32 10->39 dropped 65 Detected unpacking (changes PE section rights) 10->65 14 rundll32.exe 2 10->14         started        signatures6 process7 dnsIp8 47 23.229.29.48, 443, 49711, 49720 SERVER-MANIACA Canada 14->47 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->67 69 Bypasses PowerShell execution policy 14->69 71 Adds a directory exclusion to Windows Defender 14->71 18 rundll32.exe 10 22 14->18         started        23 WerFault.exe 23 9 14->23         started        signatures9 process10 dnsIp11 45 127.0.0.1 unknown unknown 18->45 37 C:\Users\user\AppData\...\tmp484A.tmp.ps1, ASCII 18->37 dropped 57 System process connects to network (likely due to code injection or exploit) 18->57 59 Tries to harvest and steal browser information (history, passwords, etc) 18->59 61 Sets a proxy for the internet explorer 18->61 63 2 other signatures 18->63 25 powershell.exe 25 18->25         started        27 powershell.exe 18->27         started        29 powershell.exe 18->29         started        file12 signatures13 process14 process15 31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        35 conhost.exe 29->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 15:28:12 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ii6zz6s2yrws5o4gp4nvdxeej5fyepceatecwfv2menbamqebp4a._file
Verdict:
malicious
Similar samples:
053542bbd9ab3b0436469e6d6ae5ff0b72e55f882a08e23d8ab481e1357d9528
DanaBot
549d8c5e666fe53f6f368df5cd76424bca7ae9f8c07684e2ff19be04fb1815d1
DanaBot
58dd074be5e51ca44f0c67ed712b3bb7a1afe1723adccdf3491636fef7cf1a2d
DanaBot
987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016
DanaBot
bdd0c7cbefda7e06ae77b73b86f97ce92ec35be89de53681f6aa9c8b6f1467d0
DanaBot
c252d146aa7c269b0db0a7c05f094da93234e6ace6ad52bd33860edd4127b6eb
DanaBot
caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4
DanaBot
df03220ee207a1be64e9f25b74a78684ecd00fd75dd3e44e38e2b1678060e8be
DanaBot
e83e6702c3b59f275981161db3eabdb589051a4d36ad2d74c34a8fc45cb31a30
DanaBot
f43c76a153e03551456a21ebd15a07017fbabd51a1080752ddb5241f9d599782
DanaBot
+ 247 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker discovery trojan
Link:
https://tria.ge/reports/210825-2tmpnpe5y2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Blocklisted process makes network request
Danabot
Danabot Loader Component
Unpacked files
SH256 hash:
8f6802dc5d35818387bf66a17ad87d73832c8b7a7df3b53848a582c5c6e7c0e0
MD5 hash:
6a0ad58ae0e56989e69b26e134794da6
SHA1 hash:
17fb65ce5ee59a899714acc148594bce2e74b3a7
Link:
https://www.unpac.me/results/f7506e65-66d8-4ee4-a449-02e26a52a1e5/
SH256 hash:
cd4da813da570cc5bcce96fd2a77cee24803147bd80274c5a238e997f18f49d9
MD5 hash:
42efd6c1eb44f37afed8981abf30f11e
SHA1 hash:
1f6db0b291cb3a3f5081e87b9ed55d43b0865367
Link:
https://www.unpac.me/results/f7506e65-66d8-4ee4-a449-02e26a52a1e5/
SH256 hash:
423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8
MD5 hash:
bb874cb4d90e2708e614bd89ca7df3fd
SHA1 hash:
3ab2c92ee7f00e03e267d7899227bed3f9010834
Link:
https://www.unpac.me/results/f7506e65-66d8-4ee4-a449-02e26a52a1e5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/423d9cfa5ac4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1552888/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1495647/
  
URLhaus
https://urlhaus.abuse.ch/url/1490082/
Cape
Cape
https://www.capesandbox.com/analysis/182355/

Comments