MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0
SHA3-384 hash: 7c3c4ede659a1114cd5ffd37f75ef344d2ef9802d489d71b74b81412a408a571fb5f2b7a63351ad9dff65f3ac6f8b25c
SHA1 hash: 4fe3f1549a9ef0d6c1ff611a1a4f88cf17c8d8cb
MD5 hash: 434c4d6383148ec2d1e98e455ff2629b
humanhash: fix-idaho-michigan-lithium
File name:434c4d6383148ec2d1e98e455ff2629b
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'151'549 bytes
First seen:2021-07-22 06:31:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:zR1Z3zKENzaOdXoQLTTONI4l272uRwbcFgC7Bd+JlnYe:t1ZOea2XoQfSNI4s72uRQ6u/nYe
Threatray 429 similar samples on MalwareBazaar
TLSH T1F335231ABFF5DD25F5E85EB2093E536590A9FCA16870D70F26207E0EBC361067C1C62A
dhash icon eaa3bf9b0f37b300 (2 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
434c4d6383148ec2d1e98e455ff2629b
Verdict:
No threats detected
Analysis date:
2021-07-22 06:32:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1207a7e7-4110-4e90-9f76-5c932eec16a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173233/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c841d119-972f-405a-bf75-646a27894a1b
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819960
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452371 Sample: 39pfFwU3Ns Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 76 Found malware configuration 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Detected unpacking (changes PE section rights) 2->80 82 8 other signatures 2->82 11 39pfFwU3Ns.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 54 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->58 dropped 60 3 other files (none is malicious) 11->60 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process5 file6 23 cmd.exe 1 18->23         started        50 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->50 dropped 26 SmartClock.exe 20->26         started        process7 signatures8 84 Submitted sample is a known malware sample 23->84 86 Obfuscated command line found 23->86 88 Uses ping.exe to sleep 23->88 90 Uses ping.exe to check the status of other devices and networks 23->90 28 cmd.exe 3 23->28         started        31 conhost.exe 23->31         started        process9 signatures10 92 Obfuscated command line found 28->92 94 Uses ping.exe to sleep 28->94 33 Lucca.exe.com 28->33         started        36 PING.EXE 1 28->36         started        39 findstr.exe 1 28->39         started        process11 dnsIp12 74 May check the online IP address of the machine 33->74 42 Lucca.exe.com 3 19 33->42         started        64 127.0.0.1 unknown unknown 36->64 52 C:\Users\user\AppData\Local\...\Lucca.exe.com, Targa 39->52 dropped file13 signatures14 process15 dnsIp16 66 ip-api.com 208.95.112.1, 49737, 80 TUT-ASUS United States 42->66 68 CmWKvzsSbtzjyybmv.CmWKvzsSbtzjyybmv 42->68 62 C:\Users\user\AppData\Local\...\vnxunjht.vbs, ASCII 42->62 dropped 46 wscript.exe 12 42->46         started        file17 process18 dnsIp19 70 iplogger.org 88.99.66.31, 443, 49739 HETZNER-ASDE Germany 46->70 72 192.168.2.1 unknown unknown 46->72 96 System process connects to network (likely due to code injection or exploit) 46->96 98 May check the online IP address of the machine 46->98 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 06:32:04 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0dbfcf05490597b25cd7e6abaf698d821b00301625a85b3f1ee8e75d8a090a49
DanaBot
135df51a2c255ab6c3614bc8ed4a32fdffbdf149e1f290bd845f08d8b77ec39a
DanaBot
2e150d7c07b1e33fec7acafa7c4d556c01ae2a8b41d67a80996bda3e71a312dd
DanaBot
2ea8a6e52838153831b064c6c9a797705e3acc60cfe34bdb237cbd8a360cc73b
DanaBot
396371c1ad1e04ac40a581cb49c0cb5f0480438f35a2a5e7b44446983acce75f
DanaBot
64797d37b57cc5a503f914a94995b7c830e4b2b52e535b8b53363355b739b38f
DanaBot
9aa483193350f8ce26b056d5d032a042a0c80104ad3f44107a89e13b9004adf8
DanaBot
abaaec80f4b0d2fccb5b2c09869a9f86628b987f7369abefce67108dd1982595
DanaBot
acf5a0702538d69871c917a13a45effbcc2dd9161578b270a6b56f8447062dbf
DanaBot
+ 419 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210722-69a8wbncy6/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Malware Config
C2 Extraction:
142.11.244.124:443
142.11.206.50:443
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/0cfbfb99-6f97-4524-9956-d30078bc6327/
SH256 hash:
f32a389d3099f60ebb5356543ead143bce02e4c77b0bf89d4bf7e05f0289fc1e
MD5 hash:
5ff44f40cd3ebc676b2429f606b04a02
SHA1 hash:
e71f85ba8de61c850c0d452d63add9d637ec6ad8
Link:
https://www.unpac.me/results/0cfbfb99-6f97-4524-9956-d30078bc6327/
SH256 hash:
88ff6ee31b04b56ee6e9cc512bae998c432cecb17054247e6b09bffd348a3952
MD5 hash:
c5c8da0c5e96a831b25e9565590d9b9a
SHA1 hash:
0a72b698a88b436ecbc5f70e897f4fc1bea5d7cb
Link:
https://www.unpac.me/results/0cfbfb99-6f97-4524-9956-d30078bc6327/
SH256 hash:
6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0
MD5 hash:
434c4d6383148ec2d1e98e455ff2629b
SHA1 hash:
4fe3f1549a9ef0d6c1ff611a1a4f88cf17c8d8cb
Link:
https://www.unpac.me/results/0cfbfb99-6f97-4524-9956-d30078bc6327/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1472789/
Cape
Cape
https://www.capesandbox.com/analysis/173233/

Comments


Avatar
zbet commented on 2021-07-22 06:31:28 UTC

url : hxxp://gurdgo06.top/downfiles/lv.exe