MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59ffd2713fcc721ea5c57944cb6443be5061ff49ba76fa31e3ae4a75577a7da1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59ffd2713fcc721ea5c57944cb6443be5061ff49ba76fa31e3ae4a75577a7da1
SHA3-384 hash: 94093ab57945962f6364ae7756a388b75e677766cfb77f108ac80274611cbb9673d14fe24dcf325e281e2beb3625f5a2
SHA1 hash: 134f9250722e38d7a21b89768f63ce727fed722c
MD5 hash: 518d41de74e9886881d21a0256cf2a2c
humanhash: nevada-avocado-magnesium-march
File name:518d41de74e9886881d21a0256cf2a2c
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'136'429 bytes
First seen:2021-08-18 10:13:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:N/1ZroX5NY50ZGu7Iaj1wCAWzlFXDyO83H+oviuK1yZ0I8Y:N1ZqG5kLxDA4FXO3Bv1CWgY
Threatray 441 similar samples on MalwareBazaar
TLSH T131352362D3D4047EE863417600776B274F36FE1AA5758B1E93A4F8EDB8B19023D18B36
dhash icon f2cecc8e86cce892 (6 x DanaBot, 1 x CyberGate, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
518d41de74e9886881d21a0256cf2a2c
Verdict:
No threats detected
Analysis date:
2021-08-18 10:15:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ce5e907-be57-4d77-9b65-83203d212ea4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180289/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
DNS request
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f8d0ee8-703a-4f8a-9816-251f070790dc
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835000
Signature
Antivirus / Scanner detection for submitted sample
Delayed program exit found
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467431 Sample: RPk5RyBEF7 Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 91 Found malware configuration 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 6 other signatures 2->97 11 RPk5RyBEF7.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 71 C:\Users\user\AppData\Local\Temp\...\vps.exe, PE32 11->71 dropped 73 C:\Users\user\AppData\Local\...\fanfan.exe, PE32 11->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->75 dropped 77 3 other files (none is malicious) 11->77 dropped 20 vps.exe 1 6 11->20         started        23 fanfan.exe 4 11->23         started        26 WerFault.exe 14->26         started        28 WerFault.exe 16->28         started        process5 file6 99 Machine Learning detection for dropped file 20->99 30 cmd.exe 1 20->30         started        33 dllhost.exe 20->33         started        67 C:\Users\user\AppData\...\SmartClock.exe, PE32 23->67 dropped 101 Delayed program exit found 23->101 35 SmartClock.exe 23->35         started        37 WerFault.exe 20 9 23->37         started        39 WerFault.exe 9 23->39         started        signatures7 process8 signatures9 107 Submitted sample is a known malware sample 30->107 109 Obfuscated command line found 30->109 111 Uses ping.exe to sleep 30->111 113 Uses ping.exe to check the status of other devices and networks 30->113 41 cmd.exe 3 30->41         started        44 conhost.exe 30->44         started        46 WerFault.exe 17 9 35->46         started        process10 signatures11 103 Obfuscated command line found 41->103 105 Uses ping.exe to sleep 41->105 48 Ergendosi.exe.com 41->48         started        51 findstr.exe 1 41->51         started        54 PING.EXE 1 41->54         started        process12 dnsIp13 89 May check the online IP address of the machine 48->89 57 Ergendosi.exe.com 3 18 48->57         started        65 C:\Users\user\AppData\...rgendosi.exe.com, Targa 51->65 dropped 79 192.168.2.1 unknown unknown 54->79 81 192.168.2.4, 443, 49685, 49687 unknown unknown 54->81 file14 signatures15 process16 dnsIp17 83 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 57->83 85 nNpwxhwvUw.nNpwxhwvUw 57->85 69 C:\Users\user\AppData\Local\...\lpasflya.vbs, ASCII 57->69 dropped 61 wscript.exe 57->61         started        file18 process19 dnsIp20 87 iplogger.org 88.99.66.31, 443, 49744 HETZNER-ASDE Germany 61->87 115 System process connects to network (likely due to code injection or exploit) 61->115 117 May check the online IP address of the machine 61->117 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59ffd2713fcc721ea5c57944cb6443be5061ff49ba76fa31e3ae4a75577a7da1/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 10:14:05 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
21264f137758d0bb2825cd6198b4ae8aedc2e7346c5bf3f84062c1cb326f023b
DanaBot
2afd735ca5d2ad8a8478c4832e4827b150e30d5f0b7c1dc174ce934017ee1d76
DanaBot
7316a53221fd947465957838ed65abe390dc884bf0aa63ea095b658ac275359c
DanaBot
7de7947e52663865b295e5f4377da5ff018beac438c17ff9ecd8e67eb0202bb0
DanaBot
a4ea700b81162fffa25eea3aefe0d4118601ae8acd0123f08e487c4c8bc0ad84
DanaBot
ba79511e07aa54335187ca44cd181736ffec00ad5436e3a1d1418ce5b743807d
DanaBot
fe0921df62f37332cab9e56fbbfe050e204e196e55eb323657c1f0469a6ff27b
DanaBot
+ 431 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/210818-bxtdkxlren/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.229.29.48:443
152.89.247.31:443
192.210.222.81:443
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/13943376-26f7-47ba-a503-dcaa92e5666c/
SH256 hash:
9fa9a6bdf5f5e4d3b778a6596017d9126b4bb9dc20acf8ad979ef6e4a107ca44
MD5 hash:
4df95e0e5d3473d11409d5de60d5f639
SHA1 hash:
964013118d598195f3290e273c45ee6e1325a79d
Link:
https://www.unpac.me/results/13943376-26f7-47ba-a503-dcaa92e5666c/
SH256 hash:
5b58151a849af14e0e9118e57b35b9408e45d47e8361292d40eaac5e2057bd0c
MD5 hash:
7a1d01bd6d92fc95af10574e51ce6f83
SHA1 hash:
67136befa16e2a823479e67e710f9eb8cccc3d5e
Link:
https://www.unpac.me/results/13943376-26f7-47ba-a503-dcaa92e5666c/
SH256 hash:
59ffd2713fcc721ea5c57944cb6443be5061ff49ba76fa31e3ae4a75577a7da1
MD5 hash:
518d41de74e9886881d21a0256cf2a2c
SHA1 hash:
134f9250722e38d7a21b89768f63ce727fed722c
Link:
https://www.unpac.me/results/13943376-26f7-47ba-a503-dcaa92e5666c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59ffd2713fcc721ea5c57944cb6443be5061ff49ba76fa31e3ae4a75577a7da1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent14
Create hunting rule
Author:ditekSHen
Description:Detects downloader injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 59ffd2713fcc721ea5c57944cb6443be5061ff49ba76fa31e3ae4a75577a7da1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1543943/
Cape
Cape
https://www.capesandbox.com/analysis/180289/

Comments


Avatar
zbet commented on 2021-08-18 10:13:55 UTC

url : hxxp://sarpuk04.top/downfiles/lv.exe