MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e97c34bc866c9e70fca69b0375d14534d98bccfaae683924a08328c75ab5416. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	4e97c34bc866c9e70fca69b0375d14534d98bccfaae683924a08328c75ab5416
SHA3-384 hash:	8334d9517d0d5564b36f30be1ac1a430c0bc17d2f4dc2f55c6c25fd40ac72bee9aa2e843a642d6fb2ff145d949298280
SHA1 hash:	4daec4a1d9d3bf14aab19956647433a102c8536c
MD5 hash:	909d4308fa17d05c0caa862dabe708eb
humanhash:	speaker-delaware-xray-hydrogen
File name:	909d4308fa17d05c0caa862dabe708eb.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'124'864 bytes
First seen:	2022-03-07 08:50:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e3a468e33131e43ff6cb0ed3ba60251f (2 x DanaBot, 2 x Stop, 1 x Gozi)
ssdeep	24576:le/TLuqZ7G2NhnCdiXt1f5Mk0kRMR1OOPMp4y8LmUrKrt/4GQzrTQFU:gNZ7dNp1Lx3M3PM0ZrKrtQGQz4
TLSH	T1E1350210A710D039E5F706F85ABAA369762E7FE0AB2460CF63C426EE52355D5EC3031B
File icon (PE):
dhash icon	25ac1370319b9b91 (23 x Amadey, 14 x Smoke Loader, 9 x Tofsee)
Reporter	abuse_ch
Tags:	DanaBot exe

abuse_ch

DanaBot C2:
23.254.201.147:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
23.254.201.147:443	https://threatfox.abuse.ch/ioc/392763/

Intelligence

File Origin

# of uploads :

# of downloads :

546

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/247800/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Launching a process

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Сreating synchronization primitives

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8447/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ceb8c9be-dca7-47f1-80f7-d5cda0ecfe1e

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/951638

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4e97c34bc866c9e70fca69b0375d14534d98bccfaae683924a08328c75ab5416/

Threat name:

Win32.Trojan.DanaBot

Status:

Malicious

First seen:

2022-03-07 08:51:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2l4gs6im3e6od6kngydoxiukngzrpgpvltiheskbaziy5nlkqla._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220307-kr6d6accd7/

Behaviour

Checks processor information in registry

Suspicious use of WriteProcessMemory

Program crash

Blocklisted process makes network request

Unpacked files

SH256 hash:

4fe29e7d9106ffef85a4aec3cd18e8142e53ccd0d3bd2cafa42c398dc8c3e211

MD5 hash:

aebeb194dea2bab72853357164aff3f5

SHA1 hash:

1a4c8cc0c68a99683370ed1d7a14f5b8000b8875

Link:

https://www.unpac.me/results/98c7a82b-c68c-408a-9c47-d46564c6c16f/

SH256 hash:

4e97c34bc866c9e70fca69b0375d14534d98bccfaae683924a08328c75ab5416

MD5 hash:

909d4308fa17d05c0caa862dabe708eb

SHA1 hash:

4daec4a1d9d3bf14aab19956647433a102c8536c

Link:

https://www.unpac.me/results/98c7a82b-c68c-408a-9c47-d46564c6c16f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4e97c34bc866/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4e97c34bc866c9e70fca69b0375d14534d98bccfaae683924a08328c75ab5416

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 4e97c34bc866c9e70fca69b0375d14534d98bccfaae683924a08328c75ab5416

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2078748/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/247800/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample