MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cb6e770edce0f3152dc1829bac2aff71be91ee7242260b32086ee7a3768483f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	5cb6e770edce0f3152dc1829bac2aff71be91ee7242260b32086ee7a3768483f
SHA3-384 hash:	65410c79f142fa74ab6f6f01dc9bff474887facdefd636f7a1a72674ea8553b553783a1387d548dcbfa4bebbb7e112dd
SHA1 hash:	7a0a0dd6b4be9105033349168aa044f1d816cd66
MD5 hash:	d429e3660bea179030351f62395ae4d4
humanhash:	hydrogen-november-thirteen-bravo
File name:	d429e3660bea179030351f62395ae4d4.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'220'608 bytes
First seen:	2021-10-07 19:52:10 UTC
Last seen:	2021-10-07 21:10:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5723d007fd3b79d5a0887de51ad72442 (3 x RaccoonStealer, 1 x DanaBot, 1 x CryptBot)
ssdeep	24576:LWJ4XbfDmFGzGiXssAuYg93gc04T+b+uMP6GvP:LWmXb7mFGzGZsAu/dTTujM
Threatray	6'022 similar samples on MalwareBazaar
TLSH	T140451201B7A1C035F1B652F40B7583B8A92E7DA29F28A1CF56C51AF857366E0EC7074B
File icon (PE):
dhash icon	a0f8e8e8aa66a499 (1 x DanaBot)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

397

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d429e3660bea179030351f62395ae4d4.exe

Verdict:

Malicious activity

Analysis date:

2021-10-07 20:04:10 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/6b5cd84a-ac8f-49b3-8388-aa77f8b8bf54

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/195962/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.28846.24165.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/615f5020e3d213d202ba5641/reports/c29378c5-5f04-4b2e-8536-cd65a5a4d3d9/overview

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20b0278c-273a-44f5-be25-e60e3f890ea8

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/866695

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5cb6e770edce0f3152dc1829bac2aff71be91ee7242260b32086ee7a3768483f/

Threat name:

Win32.Trojan.GenericML

Status:

Malicious

First seen:

2021-10-07 17:25:18 UTC

AV detection:

15 of 27 (55.56%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ls3oo4hnzyhtcuw4dau3vqvp64n6shxheqrgbmzaq3xhun3ija7q._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211007-ylyzsadban/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

142.11.242.31:443
192.119.110.73:443
192.210.222.88:443

Unpacked files

SH256 hash:

ea17c772dd92d7f2ea28c42ae7cea2d950f65f8da5deebb6a493e5c1b969ba23

MD5 hash:

e537335105d9322de87d1a9a1e606cf3

SHA1 hash:

8e7ceb1ab7f8b9e2a8ad8e7d2e9cd2b54c779e43

Link:

https://www.unpac.me/results/6bdcccb1-3235-4361-8821-aa8e348155bc/

SH256 hash:

da95abcfa8ceb585780cbe0332bdf15c1a80115c0d425e59cf56d3f46b9b87e7

MD5 hash:

d453eddda4cc19ae85190da07f8fdbb3

SHA1 hash:

e640e973c853c8a47d71aeb80415cade1948a84c

Link:

https://www.unpac.me/results/6bdcccb1-3235-4361-8821-aa8e348155bc/

SH256 hash:

5cb6e770edce0f3152dc1829bac2aff71be91ee7242260b32086ee7a3768483f

MD5 hash:

d429e3660bea179030351f62395ae4d4

SHA1 hash:

7a0a0dd6b4be9105033349168aa044f1d816cd66

Link:

https://www.unpac.me/results/6bdcccb1-3235-4361-8821-aa8e348155bc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5cb6e770edce0f3152dc1829bac2aff71be91ee7242260b32086ee7a3768483f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 5cb6e770edce0f3152dc1829bac2aff71be91ee7242260b32086ee7a3768483f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/195962/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample