MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ad9430fa6ba804f26f8c23bc0bac10cb23969ad7e9b521f9ec2000f9477e327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	5ad9430fa6ba804f26f8c23bc0bac10cb23969ad7e9b521f9ec2000f9477e327
SHA3-384 hash:	1f08cdad12d22d8a7cfd0f9bf5b8bb310ef64ef0a8b4736c81a7e723dfadec7d4fcd6d687bc9a42315120a86ef26e16a
SHA1 hash:	992594b1731b93ababbe278a460fe36f3ad42c99
MD5 hash:	74bd1c1cf67e38be20997ce3936d24e0
humanhash:	burger-mockingbird-uniform-lactose
File name:	74bd1c1cf67e38be20997ce3936d24e0.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'228'800 bytes
First seen:	2021-10-13 09:30:48 UTC
Last seen:	2021-10-13 11:24:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4b52e566ef5b8727d87906b4623fc7d4 (3 x RedLineStealer, 2 x Smoke Loader, 2 x ArkeiStealer)
ssdeep	24576:qRXrIU2kDlBW17rAlK0YWc8qptHN8lboBXTbwPcOCxt:qxrIU2kKAlPY74Abw
Threatray	6'413 similar samples on MalwareBazaar
TLSH	T126451200A791D034F5F762F45A799268BA3E7AA1AB3490CF63D026ED4735AE1EC31713
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/197144/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37779058.17394.20118.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6166a75afd35fe780c3cdcae/reports/58213ecf-b52e-41dc-914b-f9b26f929894/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f07f4c55-f49b-413e-be88-8b2ac86c7f45

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/869523

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ad9430fa6ba804f26f8c23bc0bac10cb23969ad7e9b521f9ec2000f9477e327/

Threat name:

Win32.Ransomware.Generic

Status:

Suspicious

First seen:

2021-10-13 00:31:52 UTC

AV detection:

15 of 45 (33.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=llmugd5gxkae6jxyyi54bowbbszds2nnp2nveh46yiaa7fdx4mtq._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211013-lg2tnadhb4/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Malware Config

C2 Extraction:

192.119.110.73:443
192.236.147.159:443
192.210.222.88:443

Unpacked files

SH256 hash:

b1a8502c0bf0a8927947bb01da766240ca04cc090ea143896db7834b1ebcc648

MD5 hash:

9e4996db535e3c45cb567161258bae44

SHA1 hash:

70319fb9ee3f14cca12857bd43b619471945389e

Link:

https://www.unpac.me/results/21c61525-e668-4eb7-9d1b-9752522bad3a/

SH256 hash:

5f29aa21613e9bf7b93ae05bc494420809be817339a47e214d03b97408bebbb8

MD5 hash:

51369d5427e599e91b8713598eebb904

SHA1 hash:

32b95369bc9f007fccf51271bc56bc1014110fd2

Link:

https://www.unpac.me/results/21c61525-e668-4eb7-9d1b-9752522bad3a/

SH256 hash:

5ad9430fa6ba804f26f8c23bc0bac10cb23969ad7e9b521f9ec2000f9477e327

MD5 hash:

74bd1c1cf67e38be20997ce3936d24e0

SHA1 hash:

992594b1731b93ababbe278a460fe36f3ad42c99

Link:

https://www.unpac.me/results/21c61525-e668-4eb7-9d1b-9752522bad3a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ad9430fa6ba804f26f8c23bc0bac10cb23969ad7e9b521f9ec2000f9477e327

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 5ad9430fa6ba804f26f8c23bc0bac10cb23969ad7e9b521f9ec2000f9477e327

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1660814/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Cape

https://www.capesandbox.com/analysis/197144/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample