MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4736d24aa94d36bbcce3e251bb39cde25e85440460fba55b4ae959fced09557e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4736d24aa94d36bbcce3e251bb39cde25e85440460fba55b4ae959fced09557e
SHA3-384 hash: 08145607cba3cd51306118ce127886e70e170e8c0edbd028040614c63340d52442df83392ce53975542fa7d3f01140e6
SHA1 hash: d7ebf67c32c5f61f73902206bbc770b1e9088b38
MD5 hash: 6ab90e18ff874ea42ede213f7c09da53
humanhash: magnesium-delaware-zebra-sixteen
File name:data.bin
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'550'000 bytes
First seen:2021-08-13 17:57:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 170a50a693c505cd6e1ebe09654b0d5e (1 x DanaBot)
ssdeep 24576:NiefPX096ZbBI9a2V/YZTShjCfAFJcNsF5KiIBuZ0vbFaiLWsqPACEoGgt:Ieff+689a2V/YhYjuAFigOBuZ0jwqWAs
Threatray 3'797 similar samples on MalwareBazaar
TLSH T141759F46FD2F12A4E1A403B7799431EBCF5B0DA80995A5ED7F9DB20CF7B2724442BA10
dhash icon f2cbe3cbf9d4e6f7 (1 x DanaBot)
Reporter Anonymous
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179065/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efa8cdcb-6705-4e0a-ad62-3e427c7a1e19
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/832609
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465035 Sample: data.bin Startdate: 13/08/2021 Architecture: WINDOWS Score: 48 28 Multi AV Scanner detection for submitted file 2->28 7 loaddll32.exe 1 2->7         started        process3 process4 9 iexplore.exe 1 75 7->9         started        11 cmd.exe 1 7->11         started        13 regsvr32.exe 7->13         started        15 4 other processes 7->15 process5 17 iexplore.exe 104 9->17         started        20 rundll32.exe 11->20         started        dnsIp6 22 dart.l.doubleclick.net 216.58.215.230, 443 GOOGLEUS United States 17->22 24 geolocation.onetrust.com 104.20.185.68, 443, 49734, 49735 CLOUDFLARENETUS United States 17->24 26 8 other IPs or domains 17->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4736d24aa94d36bbcce3e251bb39cde25e85440460fba55b4ae959fced09557e/
Threat name:
Win32.Worm.Cridex
Create hunting rule
Status:
Malicious
First seen:
2021-08-13 17:58:06 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
053542bbd9ab3b0436469e6d6ae5ff0b72e55f882a08e23d8ab481e1357d9528
DanaBot
23d57a913a8c60630d1f26d5f7eba55d8437d7595f562b1dd81b2ebc8d69751c
DanaBot
58dd074be5e51ca44f0c67ed712b3bb7a1afe1723adccdf3491636fef7cf1a2d
DanaBot
68ebca16a59d6ddc022472a4c4d68f8f6491c70737fddf1723ef36f11d8eb043
DanaBot
750e38bbaba907ed33434c5a10119773f1d73dba4d6c624d16bc1bc2dfacac46
DanaBot
967e08d85b9639892fd4bf4ab2d3e6fc7dcd4afe22326e4114df182c8b0a9b5e
DanaBot
b201c8657c45c97a017d357f7542d2786fac1e9cde1a4ce8c5c2021f52e83540
DanaBot
c252d146aa7c269b0db0a7c05f094da93234e6ace6ad52bd33860edd4127b6eb
DanaBot
e83e6702c3b59f275981161db3eabdb589051a4d36ad2d74c34a8fc45cb31a30
DanaBot
f5fe7311025d620bccb08dcfb69f03c71620351b35ea8635b798ffc62374423a
DanaBot
+ 3'787 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:11 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210813-daddh8bh2x/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
34.129.5.173:443
35.226.27.224:443
178.62.118.134:443
Unpacked files
SH256 hash:
6a772c97478691efd5d9e118abb003067dd0042df373c2ce5643bc577e116487
MD5 hash:
a79b259c39056ecec52c784091ffec73
SHA1 hash:
c7d3ec6eeb5f5df0282de2f081bc18cbfcacb754
Link:
https://www.unpac.me/results/b36851ea-2790-474c-81e1-5a66842a0252/
SH256 hash:
4736d24aa94d36bbcce3e251bb39cde25e85440460fba55b4ae959fced09557e
MD5 hash:
6ab90e18ff874ea42ede213f7c09da53
SHA1 hash:
d7ebf67c32c5f61f73902206bbc770b1e9088b38
Link:
https://www.unpac.me/results/b36851ea-2790-474c-81e1-5a66842a0252/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/4736d24aa94d36bbcce3e251bb39cde25e85440460fba55b4ae959fced09557e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DanaBot

Visual Basic Script (vbs) vbs c25a7c797e53ef7d11dbe967be584e33dc9c46d6ee460df2c12d255dc8aaefe8

DanaBot

Executable exe 4736d24aa94d36bbcce3e251bb39cde25e85440460fba55b4ae959fced09557e

(this sample)

anyrun
any.run
https://app.any.run/tasks/b4823ceb-1d15-4c15-b3c9-00aa6153ccee
  
Dropped by
SHA256 c25a7c797e53ef7d11dbe967be584e33dc9c46d6ee460df2c12d255dc8aaefe8
Cape
Cape
https://www.capesandbox.com/analysis/179065/

Comments