MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c1195c5e8de2cc8d71038a024b0e40ed342df5d15ab82a3e2c72c19e723f4de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c1195c5e8de2cc8d71038a024b0e40ed342df5d15ab82a3e2c72c19e723f4de
SHA3-384 hash: abc94a85b56a9a02bb6cceeb2e50d1e687906504485c219954f7e2c5221c33428957c01b04202568a0d421ae145e84a2
SHA1 hash: cf101cc6cea588ab80ae094aa0fcd4ff068fddd2
MD5 hash: ab3e3b3acfe93b280dc2ebfecdb0e4da
humanhash: three-carolina-mirror-zebra
File name:ab3e3b3acfe93b280dc2ebfecdb0e4da.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'745'920 bytes
First seen:2021-11-26 19:13:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 30633f34504d0e28d8bd0b63cbcfe112 (1 x RedLineStealer, 1 x DanaBot)
ssdeep 49152:Rf1dhj35W1E+Z6NHKt6CvyerZj6See0OmE4R/eAQ:5hjJW1EM6hKt6YjWnE4Rn
Threatray 7'693 similar samples on MalwareBazaar
TLSH T13585333173D3E034D5C92635273A4D54DEA2BF6275E346BA1F5C260B2EA6BF140A1B0B
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
478
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab3e3b3acfe93b280dc2ebfecdb0e4da.exe
Verdict:
Malicious activity
Analysis date:
2021-11-26 19:18:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d3376fd-421f-4de2-8573-0eb39abf8fbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a131fef36138de3f3fa2a1/reports/cceac896-c0d2-42d0-979d-cde1301b77ae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/914b6520-ed0d-4c2e-8255-79fcf74df844
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/896939
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c1195c5e8de2cc8d71038a024b0e40ed342df5d15ab82a3e2c72c19e723f4de/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 19:14:17 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqizlrpi3ywmrvyqhcqcjmheb3jufx25cwvyfi7cy4wbtzzd6tpa._file
Verdict:
malicious
Similar samples:
11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c
DanaBot
18ae9ea1c1d71b33777c8772248580f17a2bcecf1aa0e8f71ec15d4b33d5253b
DanaBot
4e19a6c2fb2fd245e5c2097ff4d91aa86c4f49aaa4fbdab4cae046e3e02d0e52
DanaBot
8d2fc9db7c9f5dcf80faef24bf99af1a4553007d810981fef4026f3fce02a945
DanaBot
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
DanaBot
ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae
DanaBot
c0c908fdb5c67cd4ab56ab911320adaf68e4bc9a230a4a04eaf2cf6ae92443f4
DanaBot
f8f1569945e8adb87cb91509db4129d64a878863a347dbea1b21b70e1a21f973
DanaBot
+ 7'683 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211126-xxmkfshdg2/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
88cfcf0adcf87114b9724e1757d6e59a82764c71374d1ffc131534f2cd6bfac6
MD5 hash:
b6308980ae615ca6370cf11c5a9405a7
SHA1 hash:
17b95b4895186dc4e44061249c4850e580b9f8b2
Link:
https://www.unpac.me/results/3dd1f2ad-d47b-4557-a6b2-9c8993edde97/
SH256 hash:
08ab3d670b99955345b47a2da90112e55caa17f843e11a2c16bff8a25daebbff
MD5 hash:
5c07f2d4eb9c803a1759a48a11e03cf6
SHA1 hash:
7ec35ab365989f46abf3145b871a2a0ed67ff7ee
Link:
https://www.unpac.me/results/3dd1f2ad-d47b-4557-a6b2-9c8993edde97/
SH256 hash:
4c1195c5e8de2cc8d71038a024b0e40ed342df5d15ab82a3e2c72c19e723f4de
MD5 hash:
ab3e3b3acfe93b280dc2ebfecdb0e4da
SHA1 hash:
cf101cc6cea588ab80ae094aa0fcd4ff068fddd2
Link:
https://www.unpac.me/results/3dd1f2ad-d47b-4557-a6b2-9c8993edde97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c1195c5e8de2cc8d71038a024b0e40ed342df5d15ab82a3e2c72c19e723f4de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 4c1195c5e8de2cc8d71038a024b0e40ed342df5d15ab82a3e2c72c19e723f4de

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1772785/
  
Delivery method
Distributed via web download

Comments