MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1
SHA3-384 hash:	417d71d74d43f4abd38a923e0582c945e3af8e371d515c9aa3b0a6e3536d684e267bde2698746a5470f8974a25202320
SHA1 hash:	46ef1d41f5fd7c9601250f2c88f3e7444af38314
MD5 hash:	80b5b9ab063c20e31fe018e04790a2e0
humanhash:	pennsylvania-speaker-kentucky-seventeen
File name:	80b5b9ab063c20e31fe018e04790a2e0.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'241'600 bytes
First seen:	2021-08-10 13:54:53 UTC
Last seen:	2021-08-10 15:09:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3808cf5755aac20ce0592be1a9bc0f0d (2 x RaccoonStealer, 1 x ArkeiStealer, 1 x DanaBot)
ssdeep	24576:V6E5R3KVcpLFO7WB0Ul4ErLvZv3b3l6ylYlR7LmiIA:JR3WclabUl4ErLvZP7sgaBLm
Threatray	3'602 similar samples on MalwareBazaar
TLSH	T1F5450231E6A1C034F9B712F895B983B8A52C7FB1576850CF93D5AAEE17202D4AD31387
dhash icon	60e8e8e8aa66a499 (24 x RaccoonStealer, 14 x RedLineStealer, 7 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

553

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

80b5b9ab063c20e31fe018e04790a2e0.exe

Verdict:

Malicious activity

Analysis date:

2021-08-10 13:57:45 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/3265cfc7-48df-4d66-a892-29b5c67ebe3a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/177976/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/62421335-7713-435d-b4cb-e152f1aa67ba

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/830284

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-08-10 02:44:52 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=it2tghuqnxkbx3p2e7g2ezogfufp5znezrknddcdxkytgzzvloyq._file

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210810-mvaemvf2gs/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

ac1b8a84c6fa2132007b1f4baa9449b6d468068610b9f6900332ac342221fcbe

MD5 hash:

b9a8bd9ca486ff5a2f6a2cb374d597e8

SHA1 hash:

b564cc3511ac97752eac4758244f7c25e73cf1ee

Link:

https://www.unpac.me/results/2716f01f-a81e-4e47-8665-d3789f77a8c0/

SH256 hash:

7df47d6dfd48ae4cfd68d382cf159a458411c7aefe752b4dc468901a659a4d2c

MD5 hash:

f10e025e6a1c25997db8c17b1de80b91

SHA1 hash:

a94dc082d223b94a78093d5e44054fd3fb0888f6

Link:

https://www.unpac.me/results/2716f01f-a81e-4e47-8665-d3789f77a8c0/

SH256 hash:

44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1

MD5 hash:

80b5b9ab063c20e31fe018e04790a2e0

SHA1 hash:

46ef1d41f5fd7c9601250f2c88f3e7444af38314

Link:

https://www.unpac.me/results/2716f01f-a81e-4e47-8665-d3789f77a8c0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 44f5331e906dd41bedfa27cda265c62d0afee5a4cc54d18c43bab13367355bb1

(this sample)

Cape

https://www.capesandbox.com/analysis/177976/

URLhaus

https://urlhaus.abuse.ch/url/1461110/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1467030/

URLhaus

https://urlhaus.abuse.ch/url/1490082/

URLhaus

https://urlhaus.abuse.ch/url/1495647/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample