MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a887c05193d46c6ef71ea39ca0b764db4f717d5bc994c778c9d2676978f3483. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	5a887c05193d46c6ef71ea39ca0b764db4f717d5bc994c778c9d2676978f3483
SHA3-384 hash:	9313641f59f85ed5279739a98d8e6364ad031854bc62f1a9d0e7aca4bd4283b8dca75c5cf7621386c480d754ed3bd3cc
SHA1 hash:	1dfe200a28b8d77ad38e539d9244167f3163e50f
MD5 hash:	47a91df4426f807d660453e2efa26027
humanhash:	avocado-quiet-november-video
File name:	prod2.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	3'441'664 bytes
First seen:	2022-07-13 12:14:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1f39d87084380c87bb0680c9bdba7a21 (4 x RedLineStealer, 1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	49152:aH64ZlHCxEQwj31ycnVxR8HkZcbWVY29IY0H6GbB4CFwb4uhifEK6sGFD9PoGd:aprH/QM/nVxNmWm20H6+4owfJ5sCoQ
TLSH	T14BF53340E5E14871F82E2E380F45D7B28FB72C9262789D0BDB706B641B336509E3A7B5
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c01edecea6ac8ccc (78 x RedLineStealer, 43 x Smoke Loader, 13 x Stop)
Reporter	0x746f6d6669
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

464

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

danabot

ID:

File name:

prod2.exe

Verdict:

Malicious activity

Analysis date:

2022-07-13 12:20:47 UTC

Tags:

danabot

Link:

https://app.any.run/tasks/6f192095-c4db-4667-9a67-43d38a248fcc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/287034/

Detection(s):

Win.Malware.Azorult-9949206-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62ceb7a383ba16fee5c25235/reports/91c2d87d-536d-458e-b8d8-9979fa29772f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f9b8ea0-4719-4d9d-9484-4c2c51aedd54

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1030146

Signature

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a887c05193d46c6ef71ea39ca0b764db4f717d5bc994c778c9d2676978f3483/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-06-28 12:10:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lkehybizhvdmn33r5i44uc3wjw2pof6vxsmuy54mtuthnf4pgsbq._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker discovery trojan

Link:

https://tria.ge/reports/220713-pew26shae3/

Behaviour

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Checks installed software on the system

Loads dropped DLL

Blocklisted process makes network request

Danabot

Malware Config

C2 Extraction:

100.0.0.0:5148
58.50.42.34:13886
26.18.10.2:5662
60.52.44.36:14400

Unpacked files

SH256 hash:

b75f62b06c9559f14a96cfaf45ac752abe93ade5d7e7c01ab9d772891fb941b8

MD5 hash:

dd69f3ddb4eec58cedd1f9eae07e2ce1

SHA1 hash:

2725498ffeaf111b5eff82a87a19de6760f31cde

Link:

https://www.unpac.me/results/5b3adb97-44a9-423e-9c7e-d958eba2bcd9/

SH256 hash:

ef78a7edac0d62cfb157cb652cad5282b020484fdb580ccb09a0ab321296f136

MD5 hash:

9eaaf83b7a39a32b20bcf11f89e5e241

SHA1 hash:

e237dfffc5405c9dc242958cf89e0d05fc45fd41

Link:

https://www.unpac.me/results/5b3adb97-44a9-423e-9c7e-d958eba2bcd9/

SH256 hash:

5a887c05193d46c6ef71ea39ca0b764db4f717d5bc994c778c9d2676978f3483

MD5 hash:

47a91df4426f807d660453e2efa26027

SHA1 hash:

1dfe200a28b8d77ad38e539d9244167f3163e50f

Link:

https://www.unpac.me/results/5b3adb97-44a9-423e-9c7e-d958eba2bcd9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5a887c05193d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a887c05193d46c6ef71ea39ca0b764db4f717d5bc994c778c9d2676978f3483

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	win_danabot_cdf38827 Create hunting rule
Author:	Johannes Bader
Description:	detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/287034/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample