MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments 1

SHA256 hash:	4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb
SHA3-384 hash:	5594ca9c20959ae4ba21fb7c2b897b8ce5418308e59489231bc8db9d24e16cac130aa8d1c1fbbab4a174c6163c2eb32a
SHA1 hash:	88b47e47bdc66a010769d239122203896f4b4c37
MD5 hash:	4886d9d33e6049b84159ee4681c9b712
humanhash:	six-papa-muppet-lemon
File name:	4886d9d33e6049b84159ee4681c9b712
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'082'880 bytes
First seen:	2021-08-15 10:45:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cd5c28f44b3cca36a31a3422b8479df9 (2 x Smoke Loader, 1 x DanaBot, 1 x Glupteba)
ssdeep	24576:QQPksNtM85VTdU0p1RuahCI073sawG/2Lo:V8s/z5VTdUC10ahRssawGj
Threatray	3'942 similar samples on MalwareBazaar
TLSH	T1FA3523A03EE1A072CED90D760865C2C9D676717267D059CB7B282BEEBE34B50F935342
dhash icon	4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

403

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4886d9d33e6049b84159ee4681c9b712

Verdict:

Malicious activity

Analysis date:

2021-08-15 10:46:24 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/398dcbfc-7aeb-4d45-a8fc-940ec8301770

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/179349/

Detection(s):

Win.Malware.Generic-9886305-0

Win.Malware.Generic-9886313-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00a88d21-d6e4-45ed-8b1a-15cab577064a

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/833153

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-15 10:46:05 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210815-pp2anknvw6/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

8af95e7b245deede697fbb9081551dd88610dfd72a0cba790c7c382c29f99ccc

MD5 hash:

cfc25f6127c1542eee376a6b9fb0d3d9

SHA1 hash:

cf1c89eba15320765f2b6ebced98edd77ed67a6e

Link:

https://www.unpac.me/results/a0087753-fbbb-45f1-af91-05b83c227115/

SH256 hash:

d3b1d3447b64e8b28c313f6dab02f21b9838c57e0fe3a711bac2f4a0f322860f

MD5 hash:

c12d7daa3b7e314529b7585232f1ad8e

SHA1 hash:

5d2eeb9c40a77f0b75c7867774bb2b39e668962e

Link:

https://www.unpac.me/results/a0087753-fbbb-45f1-af91-05b83c227115/

SH256 hash:

4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb

MD5 hash:

4886d9d33e6049b84159ee4681c9b712

SHA1 hash:

88b47e47bdc66a010769d239122203896f4b4c37

Link:

https://www.unpac.me/results/a0087753-fbbb-45f1-af91-05b83c227115/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4dbfdae09163/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1490082/

URLhaus

https://urlhaus.abuse.ch/url/1495647/

URLhaus

https://urlhaus.abuse.ch/url/1461110/

Cape

https://www.capesandbox.com/analysis/179349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-08-15 10:45:25 UTC

url : hxxp://104.144.69.55/tabhost.exe