MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a22c0f9ba13ab18950c865a0d164a9840359712c76501e5f64f54e740441a79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a22c0f9ba13ab18950c865a0d164a9840359712c76501e5f64f54e740441a79
SHA3-384 hash: 66a8ba45f43b7e0580902a8045be995a745cf6d7b117f5c67a67c8924f544ddc5c8d250666a7be3834fc2a0359ce485b
SHA1 hash: 0341e47456e2b1f6e59f6e82de18a23d810d6eb1
MD5 hash: c9aa90525dae9738fdd2e72d15fa7533
humanhash: football-mirror-queen-july
File name:c9aa90525dae9738fdd2e72d15fa7533.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'267'200 bytes
First seen:2021-10-10 11:50:56 UTC
Last seen:2021-10-10 13:01:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44bdf7acf59eb6dc6851df2a6e018dc9 (2 x RedLineStealer, 2 x ArkeiStealer, 1 x Stop)
ssdeep 24576:8OyyUMxRHOsOWrGiahHi1FQoCdES1othxjl7Y0Art1v4:8OMMxtOs3SHhi3R8ESixjl7Yh
Threatray 6'276 similar samples on MalwareBazaar
TLSH T1F345120062A1C035F2F716B8867693A96D293EE1EB6444CF62D52BEE4635BE0FD30707
File icon (PE):PE icon
dhash icon 9824e790e4e72158 (9 x Stop, 7 x RedLineStealer, 5 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9aa90525dae9738fdd2e72d15fa7533.exe
Verdict:
Malicious activity
Analysis date:
2021-10-10 11:54:31 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/d0a33e5d-5e43-4ac6-bc40-7bc9903e580c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196378/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.43342.19885.22608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6162d3ad3831960005b2b7af/reports/4f02fd15-c45a-4aff-b82b-daaaceeb02ba/overview
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a22c0f9ba13ab18950c865a0d164a9840359712c76501e5f64f54e740441a79/
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-10 11:51:07 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jirmb6n2covrrfimqzna2fsktbadlfysy5sqdzpwj5kooqcedj4q._file
Verdict:
malicious
Similar samples:
0345531c814ad62c6c2c73de6fc6e540974fa5ddba3dcbeaa9a7850ad7929a76
DanaBot
16c3ce2453189f69668a590fc5f37a192abeb70d04d6aac5d6e7fbc793bf9f1b
DanaBot
1ab4626c0f91392f958aabda6a752040da109567af3b34fbd0ddd62c616e3417
DanaBot
1c94046bb5594620da42643328011854ddc455c8eca7973a188acd5fbec27655
DanaBot
352fbd110c3d2313476efa21b9abf831cc99369781c9789514f13e3d1dbd319f
DanaBot
42e22bf3a9630d312d795db190f16cb7f0d3b51b9903695ed678dfc190240345
DanaBot
4f4432ad4cc8c5d43dd2fe135717bdd65f417f91ada36cee4ae8f9af0269f8cb
DanaBot
7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1
DanaBot
84dcb2e1236f428d52bd4cb3f5d5e7a6c79d44778858012b746c1658b1a844fd
DanaBot
aa45891e05a5365976defde1926bcf667f207b61af7cc455a1b7e1bd5fabba05
DanaBot
+ 6'266 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/211010-nz6xfafhaj/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
192.119.110.73:443
142.11.242.31:443
192.210.222.88:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a22c0f9ba13ab18950c865a0d164a9840359712c76501e5f64f54e740441a79

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 4a22c0f9ba13ab18950c865a0d164a9840359712c76501e5f64f54e740441a79

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1660814/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1640605/
Cape
Cape
https://www.capesandbox.com/analysis/196378/

Comments