MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19
SHA3-384 hash: 64b6f2dad8cb112cb6540c24235d256ab99e0b67b9934dfdfee1807a5fb022f9ddbd5562c7c8552881a1a642cb0b569a
SHA1 hash: f00ecf94d2ca07d843242b23b1d6e9f92d80c0ce
MD5 hash: eb749e44a75448c807d0af28f8b83e66
humanhash: item-beer-snake-nebraska
File name:eb749e44a75448c807d0af28f8b83e66.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:638'464 bytes
First seen:2021-08-23 06:22:29 UTC
Last seen:2021-08-23 07:17:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4aded8f080ac4b6e892c4de31a213f2e (4 x RedLineStealer, 2 x Amadey, 1 x DanaBot)
ssdeep 12288:eKOR/0vrmf7SehkqWtVHd/me+NI7E7936QNq3PDQw2k:q/0vwkBtVHd/mNNS/DQ
TLSH T156D4E130B7A1C034E1B312F456B98768A93D7A72573550CF63E51AEE1A386E9EC30747
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'363
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-08-23 05:28:32 UTC
Tags:
trojan rat redline evasion stealer vidar loader opendir ficker phishing
Link:
https://app.any.run/tasks/60a44f9f-16d3-48e2-8ab2-c0f61a78b5aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CryptBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/181366/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.24852.20321.6226.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Reading critical registry keys
Delayed reading of the file
Deleting a recently created file
Creating a window
Sending a custom TCP request
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Launching a process
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5bb16c61-9167-4212-b490-4e5c2c0f649e
Result
Threat name:
Clipboard Hijacker Cryptbot Glupteba
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837276
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Delayed program exit found
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Obfuscated command line found
Sigma detected: Copying Sensitive Files with Credential Data
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Glupteba
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 469707 Sample: XKcr4VZxQy.exe Startdate: 23/08/2021 Architecture: WINDOWS Score: 100 78 iplogger.org 2->78 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for dropped file 2->100 102 11 other signatures 2->102 12 XKcr4VZxQy.exe 47 2->12         started        17 SmartClock.exe 2->17         started        19 rundll32.exe 2->19         started        21 SmartClock.exe 2->21         started        signatures3 process4 dnsIp5 88 bunopq12.top 95.182.123.214, 49713, 49714, 80 TEAM-HOSTASRU Russian Federation 12->88 90 tobdol01.top 93.170.123.188, 49715, 49716, 80 IHOR-ASRU Czech Republic 12->90 92 morkix01.top 12->92 74 C:\Users\user\AppData\Local\Temp\Filett.exe, PE32 12->74 dropped 76 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 12->76 dropped 126 Detected unpacking (changes PE section rights) 12->126 128 Tries to harvest and steal browser information (history, passwords, etc) 12->128 23 Filett.exe 25 12->23         started        27 cmd.exe 1 12->27         started        file6 signatures7 process8 file9 66 C:\Users\user\AppData\Local\Temp\...\vts.exe, PE32 23->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\fuk.exe, PE32 23->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 23->70 dropped 72 3 other files (none is malicious) 23->72 dropped 104 Antivirus detection for dropped file 23->104 106 Machine Learning detection for dropped file 23->106 29 vts.exe 1 5 23->29         started        32 fuk.exe 4 23->32         started        108 Submitted sample is a known malware sample 27->108 110 Obfuscated command line found 27->110 112 Uses ping.exe to sleep 27->112 114 Uses ping.exe to check the status of other devices and networks 27->114 35 conhost.exe 27->35         started        37 timeout.exe 1 27->37         started        signatures10 process11 file12 116 Machine Learning detection for dropped file 29->116 39 cmd.exe 1 29->39         started        41 dllhost.exe 29->41         started        62 C:\Users\user\AppData\...\SmartClock.exe, PE32 32->62 dropped 118 Detected unpacking (changes PE section rights) 32->118 120 Delayed program exit found 32->120 43 SmartClock.exe 32->43         started        signatures13 process14 process15 45 cmd.exe 3 39->45         started        48 conhost.exe 39->48         started        signatures16 122 Obfuscated command line found 45->122 124 Uses ping.exe to sleep 45->124 50 Larghe.exe.com 45->50         started        53 findstr.exe 1 45->53         started        56 PING.EXE 1 45->56         started        process17 dnsIp18 94 May check the online IP address of the machine 50->94 59 Larghe.exe.com 50->59         started        64 C:\Users\user\AppData\...\Larghe.exe.com, Targa 53->64 dropped 80 192.168.2.3, 443, 49563, 49680 unknown unknown 56->80 file19 signatures20 process21 dnsIp22 82 ujzYUCxeWirjpFYgcWLYZFegxKw.ujzYUCxeWirjpFYgcWLYZFegxKw 59->82 84 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 59->84 86 192.168.2.1 unknown unknown 59->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 06:23:04 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyegyjc4a6olsnc7orgwynjjggdx5jvkekdjkd4ukhj6ynznnymq._file
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:danabot banker discovery persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210823-6x5clnq2fx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
CryptBot
CryptBot Payload
Danabot
Danabot Loader Component
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
C2 Extraction:
bunopq12.top
morkix01.top
Unpacked files
SH256 hash:
4b9e3bb97b5bf5dd38041416a8df238d40cc7384b6efe2944572621918dbd618
MD5 hash:
2104517b4dfd9a9d57c5fc588c1d4e70
SHA1 hash:
05a5d85d915aa7d182bddbf44b699a3cf08d9483
Detections:
win_cryptbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/677a45cd-f810-4d14-af1d-966d57df96c1/
SH256 hash:
56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19
MD5 hash:
eb749e44a75448c807d0af28f8b83e66
SHA1 hash:
f00ecf94d2ca07d843242b23b1d6e9f92d80c0ce
Link:
https://www.unpac.me/results/677a45cd-f810-4d14-af1d-966d57df96c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1554880/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181366/

Comments