MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5
SHA3-384 hash: 058ecefd2c839c7653ba0c21a872b65409688e417ad86dcc89a7e2a3a7e598709a0fabd4e957b39bb89f8ca86d1fac6b
SHA1 hash: b86f8aeddddd245f0198ad92ff6cee605cbe1d4e
MD5 hash: 07ab47ba492cb4ce3b9255ecbfb543f7
humanhash: blossom-california-lion-moon
File name:07ab47ba492cb4ce3b9255ecbfb543f7
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'137'354 bytes
First seen:2021-11-13 05:01:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:fb1ZTEb66GZQJAaYqh3owdV+xYtb/Khu0Ar51hRzEHgR8wfXhxld4sl9O3/TvHv0:5ZQ+6uQhYEom+mtkQ1hRwH2X9i/vFO
Threatray 493 similar samples on MalwareBazaar
TLSH T1D5E533039F91A02FE2656F35A3A08B173FB5DB582774EB0D13014ABA3E13B559C4866F
File icon (PE):PE icon
dhash icon 696ce6d2ecf8f1d4 (2 x RemcosRAT, 1 x DanaBot, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205400/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed swisyn virus wacatac
Link:
https://www.filescan.io/uploads/618f46cd3edf00a722d17008/reports/a9e7b2fb-5b20-49e2-a3a3-f35ef1690881/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/156de1d4-1dd1-4b02-8d87-d004671a73a6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888472
Signature
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520945 Sample: 4rWrWGe8fH Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Detected unpacking (creates a PE file in dynamic memory) 2->61 63 4 other signatures 2->63 7 4rWrWGe8fH.exe 25 2->7         started        10 DpEditor.exe 2->10         started        12 DpEditor.exe 2->12         started        process3 file4 27 C:\Users\user\AppData\Local\...\orihonvp.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\nasial.exe, MS-DOS 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->31 dropped 33 3 other files (none is malicious) 7->33 dropped 14 orihonvp.exe 3 18 7->14         started        19 nasial.exe 7 7->19         started        process5 dnsIp6 43 ip-api.com 208.95.112.1, 49741, 80 TUT-ASUS United States 14->43 35 C:\Users\user\AppData\Local\...\hnhvpxrr.vbs, ASCII 14->35 dropped 45 Antivirus detection for dropped file 14->45 47 Multi AV Scanner detection for dropped file 14->47 49 Query firmware table information (likely to detect VMs) 14->49 55 4 other signatures 14->55 21 wscript.exe 12 14->21         started        37 C:\Users\user\AppData\...\DpEditor.exe, MS-DOS 19->37 dropped 51 Detected unpacking (creates a PE file in dynamic memory) 19->51 53 Machine Learning detection for dropped file 19->53 25 DpEditor.exe 1 2 19->25         started        file7 signatures8 process9 dnsIp10 39 iplogger.org 88.99.66.31, 443, 49742 HETZNER-ASDE Germany 21->39 41 192.168.2.1 unknown unknown 21->41 65 System process connects to network (likely due to code injection or exploit) 21->65 67 May check the online IP address of the machine 21->67 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5/
Threat name:
Win32.Spyware.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-11-13 04:32:56 UTC
AV detection:
22 of 27 (81.48%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0416ac4ffcec3299fa96d3db1837fe245fb398890abc1e19481485503fcaa679
DanaBot
0822897c3336073faf73fa391193ea15f55de51aa36d63433a9e794127c34576
DanaBot
32c6d9d772bf954b06f37b26d1b431aae37d1ff160747cce69d165db62643d49
DanaBot
3afb94af10e2fae81d10a10c089362e6eac18d1a84a2c24c5fb6003e402931a7
DanaBot
64b608dd4724d90e85149b4b450fc86f7a258da04095e9e8cff77a7ee5645b29
DanaBot
aa88fc6977bf02c959ffa6865b99eeee8c1735001f824d1bbcc4ff01d93fbb74
DanaBot
bf45b415add34c4a9cfd28e2f0060a5771b452a290d4807cc66e5e0355b014c0
DanaBot
d80ff2378e1da1fcdf9f21f57c5498b4f55ded34c425b6bf91f489319336a8e6
DanaBot
e917d16aa3c2d421903d598a6c993da5e76ea3e393e460af5c8d6388a3c3c95f
DanaBot
+ 483 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker evasion themida trojan
Link:
https://tria.ge/reports/211113-fn5agaefb7/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.147.206:443
192.236.192.201:443
Unpacked files
SH256 hash:
83d96324bdf8182215da7e4da3915291338ec0fd524a234dfad182ddbfe0a4ef
MD5 hash:
f9883608f53e3c853230060cc77258ea
SHA1 hash:
e8ff2019f32f6a207b41376a5e74224e0d3eb764
Link:
https://www.unpac.me/results/6ee52433-51a5-4b92-93a7-928112fa53cd/
SH256 hash:
f2f7b15bb100f6624fa1c618f5cebf562561f3c8383762de23451745965e14d7
MD5 hash:
4340c5769e451991de61023d29ff31e2
SHA1 hash:
4b05ec86260b44d8f5cb258623403d4a63ba928a
Link:
https://www.unpac.me/results/6ee52433-51a5-4b92-93a7-928112fa53cd/
SH256 hash:
270abb843297d30d838604e1ad9fbae466ac0e49e4e4bdf01784eae7733b83b1
MD5 hash:
d35518e5d93a919be831bde3cdb811ea
SHA1 hash:
05cb0161f41001ac4e1a421fbdfcaca3dfffc12d
Link:
https://www.unpac.me/results/6ee52433-51a5-4b92-93a7-928112fa53cd/
SH256 hash:
6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5
MD5 hash:
07ab47ba492cb4ce3b9255ecbfb543f7
SHA1 hash:
b86f8aeddddd245f0198ad92ff6cee605cbe1d4e
Link:
https://www.unpac.me/results/6ee52433-51a5-4b92-93a7-928112fa53cd/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1782073/
Cape
Cape
https://www.capesandbox.com/analysis/205400/

Comments


Avatar
zbet commented on 2021-11-13 05:01:39 UTC

url : hxxp://xetdyf17.top/downfiles/kubera.exe