MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38
SHA3-384 hash: 74a20e56340905f2845ace73c1a4bf3df846abbed3ab83a25146c73fd49c7ce1dbfcf5b350c9a2c1e34d97ec078429ca
SHA1 hash: 246cf5194253e321b176981aa136fa8f76e961c3
MD5 hash: 3f57c68e243e816198400b579a6f8d93
humanhash: nitrogen-pennsylvania-pennsylvania-texas
File name:3f57c68e243e816198400b579a6f8d93
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'617'084 bytes
First seen:2021-08-08 19:47:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:bUd1ZfAMBpKXg1lGENTMk24cqWsN9PnViajYnorRNTVe+82uZdFd5iykx3rjrhrC:QPZRB1KENTLd8pnEAF2uZ3d8ySn9Zs
Threatray 3'549 similar samples on MalwareBazaar
TLSH T1A8F5334BD822DE5AEF830131D824635AD317DA66E4628C27A75357CE7F70C01DA2EA37
dhash icon fefee6e252b0e0e4 (12 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
main-install-v2.1.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 04:15:05 UTC
Tags:
trojan stealer loader evasion
Link:
https://app.any.run/tasks/2d46c1ad-9c60-4618-babb-777c3f53ccc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177313/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Deleting a recently created file
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Searching for analyzing tools
Searching for the window
Running batch commands
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
DNS request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4b81d66-78a2-40c7-85ab-9d142f780242
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828884
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461315 Sample: RHvnTM16Cq Startdate: 08/08/2021 Architecture: WINDOWS Score: 100 77 Antivirus detection for dropped file 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 6 other signatures 2->83 11 RHvnTM16Cq.exe 25 2->11         started        14 IntelRapid.exe 2->14         started        17 IntelRapid.exe 2->17         started        19 rundll32.exe 2->19         started        process3 file4 61 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->63 dropped 65 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->65 dropped 67 3 other files (none is malicious) 11->67 dropped 21 vpn.exe 1 6 11->21         started        23 4.exe 4 11->23         started        115 Query firmware table information (likely to detect VMs) 14->115 117 Hides threads from debuggers 14->117 119 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->119 signatures5 process6 file7 27 cmd.exe 1 21->27         started        30 dllhost.exe 21->30         started        57 C:\Users\user\AppData\...\IntelRapid.exe, PE32 23->57 dropped 95 Query firmware table information (likely to detect VMs) 23->95 97 Hides threads from debuggers 23->97 99 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->99 32 IntelRapid.exe 23->32         started        signatures8 process9 signatures10 101 Submitted sample is a known malware sample 27->101 103 Obfuscated command line found 27->103 105 Uses ping.exe to sleep 27->105 107 Uses ping.exe to check the status of other devices and networks 27->107 34 cmd.exe 3 27->34         started        37 conhost.exe 27->37         started        109 Query firmware table information (likely to detect VMs) 32->109 111 Hides threads from debuggers 32->111 113 Tries to detect sandboxes / dynamic malware analysis system (registry check) 32->113 process11 signatures12 85 Obfuscated command line found 34->85 87 Uses ping.exe to sleep 34->87 39 Scotendosi.exe.com 34->39         started        42 findstr.exe 1 34->42         started        45 PING.EXE 1 34->45         started        process13 file14 93 May check the online IP address of the machine 39->93 47 Scotendosi.exe.com 3 18 39->47         started        59 C:\Users\user\AppData\...\Scotendosi.exe.com, Targa 42->59 dropped signatures15 process16 dnsIp17 71 ip-api.com 208.95.112.1, 49693, 80 TUT-ASUS United States 47->71 73 192.168.2.1 unknown unknown 47->73 75 QXXeUyzuDuIxPFLVPNbwDZBBB.QXXeUyzuDuIxPFLVPNbwDZBBB 47->75 55 C:\Users\user\AppData\Local\...\xvsfhqkf.vbs, ASCII 47->55 dropped 51 wscript.exe 12 47->51         started        file18 process19 dnsIp20 69 iplogger.org 88.99.66.31, 443, 49694 HETZNER-ASDE Germany 51->69 89 System process connects to network (likely due to code injection or exploit) 51->89 91 May check the online IP address of the machine 51->91 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 19:53:18 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e
DanaBot
2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac
DanaBot
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
DanaBot
5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
DanaBot
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
DanaBot
820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26
DanaBot
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
DanaBot
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
DanaBot
d34e63dbaeb352c7fbf69e3afcd140ca188aaf9492bbb209401bdbcc6028b07c
DanaBot
dab48eb20191f37e19aed12dc58640ab40957cec26dc3fa63a88f70decbd875c
DanaBot
+ 3'539 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210808-hqt4r2zde2/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.244.124:443
142.11.206.50:443
Unpacked files
SH256 hash:
f70906c4c67ac307df8af5603054ec218dbbb27b91cb839d3db680ac689c8aee
MD5 hash:
8a3be6f7549037c8629c18b449173256
SHA1 hash:
6794ab330aa8628c768eac48b84cada6e222ca95
Link:
https://www.unpac.me/results/72dfab15-ca20-4431-9a2c-b263c7d06bca/
SH256 hash:
536ba7a0087c1628a24d9a40a35dc00425122888f748a088e60fdaa669ea6d08
MD5 hash:
ae42a0766189d5389b088820a0eaa44c
SHA1 hash:
3887d7e63e52841efaa210d0b5ed9828b5676df7
Link:
https://www.unpac.me/results/72dfab15-ca20-4431-9a2c-b263c7d06bca/
SH256 hash:
52d6860df0cdc2577be6fefae9127c8cbd8330fe925732988f68f64297cab9c9
MD5 hash:
a966a04684fe39c61d670a31f3fafb5c
SHA1 hash:
5c41b01ab0cf7981e2b7bebd66cdc7f2d847ec1b
Link:
https://www.unpac.me/results/72dfab15-ca20-4431-9a2c-b263c7d06bca/
SH256 hash:
4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38
MD5 hash:
3f57c68e243e816198400b579a6f8d93
SHA1 hash:
246cf5194253e321b176981aa136fa8f76e961c3
Link:
https://www.unpac.me/results/72dfab15-ca20-4431-9a2c-b263c7d06bca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1517195/
Cape
Cape
https://www.capesandbox.com/analysis/177313/

Comments


Avatar
zbet commented on 2021-08-08 19:47:10 UTC

url : hxxp://zelvka06.top/downfiles/lv.exe