MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590
SHA3-384 hash:	3724a111f6bd2d11e9282d2fa080d3a94ab91ea020cf2c4eaa02476e9581b154cd14aa43b061dfbfd3ddf436df97760f
SHA1 hash:	f8a9a83c4d77b13d08d203997c5df167d0290261
MD5 hash:	426a8ae17ab047f1ce5313bf1f422fc3
humanhash:	kansas-six-nebraska-oregon
File name:	file
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	2'029'056 bytes
First seen:	2023-10-16 12:08:33 UTC
Last seen:	2023-10-22 16:45:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c798cbda6be5cb72de211b06e2aa47af (1 x DanaBot)
ssdeep	49152:9ZHrxCcxEnA8HTeKt8093ysCTKvcXoQQq:r9eAoegIa
Threatray	32 similar samples on MalwareBazaar
TLSH	T1A295123A37E88071D1B7D17DC692E717EAB27815473162CF0BD19A7A1F26AD0E238706
TrID	74.9% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.0% (.EXE) Win64 Executable (generic) (10523/12/4) 2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	andretavare5
Tags:	DanaBot exe

andretavare5

Sample downloaded from https://vk.com/doc52355237_666996605?hash=PNaesDGQ4R6AKoGdDZUjjpHtlAembfkrIEXUcgZpggo&dl=eHRRS6SLcD7p4MKAIY3H2KyzLC0zVRehkWngpDejN8H&api=1&no_preview=1#big

Intelligence

File Origin

# of uploads :

# of downloads :

370

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454858/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.17933.6402.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware lolbin packed settingsynchost

Link:

https://www.filescan.io/uploads/652d27df5da218a42f513d05/reports/2064fe86-173f-4926-ab1f-19bf6ca82efd/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/062478c6-0970-44da-a690-f6314330cfbe

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1326454

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Multi AV Scanner detection for submitted file

Overwrites code with function prologues

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-10-15 20:48:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 21 (71.43%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j4eslkcklslcj34ponbdt3swdcf2sna5jdoa6b63saxfs5b2iwia._file

Verdict:

malicious

DanaBot

72cb26ac08fa4ba35112a093b506eb97f730537f9a011a20ad8049d4da6fcb77

DanaBot

7a6ee9e168bb8af108f335957f8abc4736c49a0a9335412a9a75758f904c0f95

DanaBot

804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e

DanaBot

a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e

DanaBot

b23e219ee4998ff38b9d571f5a4ff3bf7702d509bce4c910708b3d78956367c1

DanaBot

d803474f276d6a116f53136d486a257bf6414a5c4393aa83793bc77a4124afd2

DanaBot

f57dab60885da9213f24b4896129182cb29ad3bd7be194685b68d61e6357188b

DanaBot

+ 22 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/231016-pbfk1sgb86/

Behaviour

Checks processor information in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Blocklisted process makes network request

Danabot

Unpacked files

SH256 hash:

f797fe4abc5835f98862dd8be4015bd63f1c6666d939103a52b04740d5cf1fae

MD5 hash:

872c1eeb312812c2a09fd6dd47ab0d14

SHA1 hash:

28675fbeeaf88b4026023638c87011959b041608

Link:

https://www.unpac.me/results/3e3e7c90-18be-42d6-bcdc-ccd1fbd2117f/

SH256 hash:

4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590

MD5 hash:

426a8ae17ab047f1ce5313bf1f422fc3

SHA1 hash:

f8a9a83c4d77b13d08d203997c5df167d0290261

Link:

https://www.unpac.me/results/3e3e7c90-18be-42d6-bcdc-ccd1fbd2117f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f0925a84a5c9624ef8f734239ee56188ba9341d48dc0f07db902e59743a4590

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/454858/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample