MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55
SHA3-384 hash: 13e8154e34a1633a658c8f760805db0b73883948dd59e10f3cd9bf05d9f69162161cf2f1be2aaaffe8ec12a804586841
SHA1 hash: 02d44d08a6c50caf6845ad03800cc4fef94a7632
MD5 hash: 0a64e03ff620d96629ef1e9d123f8a71
humanhash: double-mexico-island-mirror
File name:att.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'167'872 bytes
First seen:2021-06-16 13:12:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f15a946d6e0659432dc9b8c464554438 (5 x RedLineStealer, 3 x Smoke Loader, 1 x Glupteba)
ssdeep 24576:GMFslRR8kcGDrg3WdwKtPisfCiz2V07+ZvVFA1y2Zg:AlxcGDr2i+YjD+Zgc
Threatray 2'006 similar samples on MalwareBazaar
TLSH 40451210F760C430F0B612F41AB593B9A62D3AF1AB7890CF52D52BEA47386E4AD31757
Reporter 0x746f6d6669
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
att.exe
Verdict:
Malicious activity
Analysis date:
2021-06-16 13:35:59 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/146bd8ac-2227-4c0c-a2d2-00c78a35b6a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.4183.28879.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Modifying an executable file
Enabling the 'hidden' option for analyzed file
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dfeb9e4-cfab-461d-a866-4f204071af8b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/803113
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 13:12:20 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jj47kj6uap675rn7radiuwwimskdsxilonnme52but7xrmsdjjkq._file
Verdict:
malicious
Similar samples:
08bb07f4182f8cc6c6460af9f9e268e0fb6323a2227388c42d06d801201f767d
DanaBot
12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
DanaBot
26e4bbe3bdc2deb3142b952094d6bd3bb27ee0217d7a9b735a0cc2bbdf6bd9b4
DanaBot
2f780fc849c91fb3552908c9047e69cb5016ef154e6ca87ca412d79079eae85c
DanaBot
5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec
DanaBot
aca06c84c79542c68aee34141e53d43e865d9d0cce2fab122270cf7c230dca77
DanaBot
b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f
DanaBot
cd59f70eea8a47b46a830960b6dec4113835b44364d404ee4cd1b750964233c2
DanaBot
eb2f15018cb74ad0c97044c7687df83445d45d6752104b0cbc9fad9ed22813be
DanaBot
f279bd873b230e7a9743fd03d89b9dcee87d8f29152e234c8478bd578807ec74
DanaBot
+ 1'996 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210616-cn9bjm391a/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Unpacked files
SH256 hash:
6d1d4ebda4bc17eb60fdd232a84dc599a345b394717be9314b8e61275ab3b800
MD5 hash:
024a47965b02eb51f86deeb23e60eaef
SHA1 hash:
58d3bb6ca300a95d359153829609e3136605dc39
Link:
https://www.unpac.me/results/282de9a1-0442-4d68-9dfc-e9146fdc5cb4/
SH256 hash:
f97e7a641b0e3ee84437b8c1ad6cfc344f7afb08c3a5c5ecdf34da2f4c739f51
MD5 hash:
26ec9b25c06ffe630b85369c120e8893
SHA1 hash:
e65ed6a9530fcc4dc0b93736be48bf3c4390e3c7
Link:
https://www.unpac.me/results/282de9a1-0442-4d68-9dfc-e9146fdc5cb4/
SH256 hash:
4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55
MD5 hash:
0a64e03ff620d96629ef1e9d123f8a71
SHA1 hash:
02d44d08a6c50caf6845ad03800cc4fef94a7632
Link:
https://www.unpac.me/results/282de9a1-0442-4d68-9dfc-e9146fdc5cb4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 4a79f527d403fdfec5bf88068a5ac86494395d0b735ac27741a4ff78b2434a55

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1338483/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1271412/

Comments