MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments 1

SHA256 hash:	5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7
SHA3-384 hash:	b54a92a93d11a17543df315025c0f94d3f7563acc61c2747d4658818bceaffab614ad478fcda2d6b2cc8251c53440afb
SHA1 hash:	69dfd12c7df066389d1cf48ee17619ce03289263
MD5 hash:	8e569bc871b8364669e122b63dda8399
humanhash:	apart-nitrogen-nineteen-cardinal
File name:	8e569bc871b8364669e122b63dda8399
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'218'560 bytes
First seen:	2021-10-04 18:44:03 UTC
Last seen:	2021-10-04 19:57:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	820638e32882fc55584544cedf889893 (6 x RaccoonStealer, 1 x RedLineStealer, 1 x CoinMiner)
ssdeep	24576:Qr0NQtHQ+I8JqdGmbTXgpDDhJ8BD1gNZNZANDuRrPNiKQ//j36L:QYNQtHQ+idGmbTXgpHhJ8BD1UvANDorN
Threatray	5'968 similar samples on MalwareBazaar
TLSH	T1764522193081C7B6E2B905315B07C7E0466EFC6C2F69AA8FB395176E8E752C2D369312
File icon (PE):
dhash icon	fcfcd4f4d4dcd8c0 (34 x RaccoonStealer, 21 x RedLineStealer, 8 x ArkeiStealer)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

596

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/194773/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.28425.26397.21705.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e40743e7-0b65-4913-835e-2f99d0b1e968

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/864270

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-10-04 18:44:12 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery spyware stealer trojan

Link:

https://tria.ge/reports/211004-xdg6mahbbr/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

142.11.242.31:443
192.119.110.73:443
192.210.222.88:443

Unpacked files

SH256 hash:

f7c11ed57af9661349282bc5be44f41c3d45379e013bad2e13ba45e721d07e99

MD5 hash:

45fb7c39ada07fe51bd593507be6c93a

SHA1 hash:

dfdf1665fc0c6cff60d59e89504296aafd2d944e

Link:

https://www.unpac.me/results/aaaf8b27-d02c-47a8-adb0-8530c03a87ed/

SH256 hash:

246769e35f571463fcd9fa79f4603936b1ba97b9b75688038f85548aa3b8cbbe

MD5 hash:

2183c59248a693b06816870ea0e1b11c

SHA1 hash:

637508f9b04990fb88760e25ddbab4c735d29184

Link:

https://www.unpac.me/results/aaaf8b27-d02c-47a8-adb0-8530c03a87ed/

SH256 hash:

5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7

MD5 hash:

8e569bc871b8364669e122b63dda8399

SHA1 hash:

69dfd12c7df066389d1cf48ee17619ce03289263

Link:

https://www.unpac.me/results/aaaf8b27-d02c-47a8-adb0-8530c03a87ed/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5f67a9e1b25d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Cape

https://www.capesandbox.com/analysis/194773/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-10-04 18:44:03 UTC

url : hxxp://88.99.21.170/root.exe