MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b735599ef5aac480c58627f4b72af26cfe4b66c9a62ffd93998314ce27e9586. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b735599ef5aac480c58627f4b72af26cfe4b66c9a62ffd93998314ce27e9586
SHA3-384 hash: 27115e5aab646053ce80347813fe41484a5826f5571d86a60c906ffac19f6702bb3a9a6ba3defca4fa8f31d7dee5e707
SHA1 hash: 5767a0319a6c034d9956ee67f4417899bb563183
MD5 hash: 57b36fc1682e874793dd47a47abf3ccb
humanhash: orange-wolfram-dakota-georgia
File name:57b36fc1682e874793dd47a47abf3ccb
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'093'120 bytes
First seen:2021-09-23 08:16:17 UTC
Last seen:2021-09-23 11:12:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35a9ffa8a278dd991d1bdc58cc30f2d2 (4 x RedLineStealer, 1 x ArkeiStealer, 1 x CoinMiner)
ssdeep 12288:mTJY37WkTqsqTdj7TP5hmVDLRsEPGsQNhUInk0BSEdZiv54fvtDxvkq5WiMvvoiX:m4bTPy/ThcRIL9IEPiCfFiq5WiCi
Threatray 5'642 similar samples on MalwareBazaar
TLSH T15635232136F1C073C5AB1C388365D1649E7AB532A63A478F7B9AD7396F201C0B76A317
File icon (PE):PE icon
dhash icon 1072c093b0381906 (22 x RedLineStealer, 22 x RaccoonStealer, 20 x Stop)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
57b36fc1682e874793dd47a47abf3ccb
Verdict:
Malicious activity
Analysis date:
2021-09-23 08:16:47 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/cb96450b-a926-4068-bf45-88f2bad0b2ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190688/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.22175.3803.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61fee610-04c0-4e14-8ce5-127e8dd8deb1
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/856286
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b735599ef5aac480c58627f4b72af26cfe4b66c9a62ffd93998314ce27e9586/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 08:17:07 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0dbae723b61eebd1615384950c28b6f11f69967326b6d66d366e926a47e7c199
DanaBot
0fa94fb3399528ee6652f3852baac8c399f267ed82ff74730881400494477a83
DanaBot
247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec
DanaBot
37959fd0b7360fc0aedb35ac28e39aa474e3b36ed4972f600b5db47da19d0bf8
DanaBot
5c3162c36576b287b91705301199e60485f31ab98b4bd11e8ed4445b8131cf08
DanaBot
9c1060f235f5c568ca7461ead6d60926d416d18451b755efd3ab1465681e9d80
DanaBot
ae6ec966a4d2912897da41c2e20296c0cc2ac5b30fd57ee20420bd7212e98042
DanaBot
c70d30eabc072c72aa4c934ec92ea25b0e75c53a006b510e35ad1aefe0892912
DanaBot
cb2244f51a480169293e39a16b104aa14e98543b17b76b3ab5a16640d48d29cc
DanaBot
d37a741c4abb937ef11a2b0536a641db1b50859be5310eb8781bf18bbdd9b9bd
DanaBot
+ 5'632 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210923-j6pvaabbaq/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.254.144.209:443
192.236.194.86:443
142.11.192.232:443
Unpacked files
SH256 hash:
aa6a2342db08f76f9ed20105038a602df0ee286a9d150bd796c150a92352208b
MD5 hash:
59a36ddde47b56804b8f43ad077229a2
SHA1 hash:
7d7233935798a11da979638a93bee397c756673a
Link:
https://www.unpac.me/results/3b42a390-b6df-4035-b5ab-49c8729aecc0/
SH256 hash:
7f7d8eac5b1136ae9edc8a6315f2a97be3fedb0270b70a27f28ab90f27240da8
MD5 hash:
51b8d2b3197d0ecfd5633600c18b77ee
SHA1 hash:
7e65e334814fdecdbb89d946ea288344352fa713
Link:
https://www.unpac.me/results/3b42a390-b6df-4035-b5ab-49c8729aecc0/
SH256 hash:
4b735599ef5aac480c58627f4b72af26cfe4b66c9a62ffd93998314ce27e9586
MD5 hash:
57b36fc1682e874793dd47a47abf3ccb
SHA1 hash:
5767a0319a6c034d9956ee67f4417899bb563183
Link:
https://www.unpac.me/results/3b42a390-b6df-4035-b5ab-49c8729aecc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b735599ef5aac480c58627f4b72af26cfe4b66c9a62ffd93998314ce27e9586

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 4b735599ef5aac480c58627f4b72af26cfe4b66c9a62ffd93998314ce27e9586

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1640605/
Cape
Cape
https://www.capesandbox.com/analysis/190688/

Comments


Avatar
zbet commented on 2021-09-23 08:16:18 UTC

url : hxxp://88.99.21.170/root.exe