MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e
SHA3-384 hash: f94b97dee459ff60422cf6370713648458eb967ff576a5794722779265f3520bac202d836cfd4ee221f39af93db73f24
SHA1 hash: cc7a76ae3c1ff7414e77388bd5b7d96a95924d0f
MD5 hash: 4016e44a7f43921419b3a97718f556d1
humanhash: west-california-equal-ack
File name:4016e44a7f43921419b3a97718f556d1.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'221'824 bytes
First seen:2021-03-24 14:39:24 UTC
Last seen:2021-03-24 16:54:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 941b6010fb7dcc33b618e934797c0d8d (1 x RaccoonStealer, 1 x DanaBot, 1 x FickerStealer)
ssdeep 98304:JCF7sPo3S8efuWCKSwDRiFTo16uuMOc3fZBpTTK7UwX3iOd18MIuI83CkzGbli/y:w7RIuWWuPTfdTK7US3iOd+MIuVt84T1w
Threatray 33 similar samples on MalwareBazaar
TLSH 4E56336562D9C226CAE38131813AD7F05F3F34707A69A19EB7A4197E3F01BE3512934E
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4016e44a7f43921419b3a97718f556d1.exe
Verdict:
No threats detected
Analysis date:
2021-03-24 23:26:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e550ec1a-2282-45be-956f-672a33c82d98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Mal.Gen.19255.4551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Sending a UDP request
Creating a file in the %temp% directory
Changing a file
Modifying an executable file
Sending a custom TCP request
Connection attempt
Sending a TCP request to an infection source
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/652372
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-24 11:47:20 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnnmri3kigqsecqes5jbdfaxi6fp2gwegowfwlna47evmczyyuxa._file
Verdict:
malicious
Similar samples:
1868df90ac6a9c1a2b6cc97365ba68afb3f849d3293c9d4f7f01651a694af863
DanaBot
5288d023c4a8127ed105f7d8b9142aab47dc505efc5b6a81e8c9367f0465c03a
DanaBot
57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a
DanaBot
5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec
DanaBot
7ceb6d9e04042cd53b9c374e69cbf22e05edff6571a01610b844963d881e1057
DanaBot
91aba74042505ab4b44295a886987e140510d6d9a38212e36e40f2433d64afcd
DanaBot
9557feef95067f3447bd79cbfbb2910782b44f9a0ca579d2bc7e0877cb72dc48
DanaBot
aca06c84c79542c68aee34141e53d43e865d9d0cce2fab122270cf7c230dca77
DanaBot
c86daf6acf8e6431c50a2b8f6d123b42da7c5fa9fce232438873d45079059591
DanaBot
e1043b597d99a6553919b8e0d8e265aa6dd2f2004d63c57686d3e4dfca13505e
DanaBot
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210324-6f6619smea/
Unpacked files
SH256 hash:
e5883c440d9b4b0d06369665a825e70152fe796f8d16077b0a884b8bc23300fc
MD5 hash:
97687a78eced7b16640a2b02da73518b
SHA1 hash:
35956359cf25ea197f9ea0a0c76346aa8b34f6a8
Link:
https://www.unpac.me/results/83d9abbe-662b-4aae-aaa1-847c548a706c/
SH256 hash:
2b8117716244771396e497752d4acd3dd457f8075527076d6b53b857b9b2ee00
MD5 hash:
781e3211430416ab3e09eaa7e609805f
SHA1 hash:
9feb13b740519bc131851bbb278f948bd1d09e76
Link:
https://www.unpac.me/results/83d9abbe-662b-4aae-aaa1-847c548a706c/
SH256 hash:
86ae5b33931c65515c845dc921880f1a3c90fc756a75df7c839243f904123ed1
MD5 hash:
055ded9efd3cabadf9c7c6a39368fef4
SHA1 hash:
347dc688618b10e3a08d73f385307d258ce3abe0
Link:
https://www.unpac.me/results/83d9abbe-662b-4aae-aaa1-847c548a706c/
SH256 hash:
5e35a94399a94e96d332739e250b6231f39164c7b7964b5dbdd2dfbe449846f0
MD5 hash:
45c48bdfce5691c55c186cd90a1a9d98
SHA1 hash:
bfa7d2fa3ce0c74f8a54ca3103929888053644c3
Link:
https://www.unpac.me/results/83d9abbe-662b-4aae-aaa1-847c548a706c/
SH256 hash:
6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e
MD5 hash:
4016e44a7f43921419b3a97718f556d1
SHA1 hash:
cc7a76ae3c1ff7414e77388bd5b7d96a95924d0f
Link:
https://www.unpac.me/results/83d9abbe-662b-4aae-aaa1-847c548a706c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1087755/
  
Delivery method
Distributed via web download

Comments