MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1
SHA3-384 hash: d9941b2caae48e267596e007677c9821665357c89f0744a3685ad936f3946ed8a59c34a2f6c201ec5753cd5f68ee080d
SHA1 hash: cd0aed133aa9ac7f9ce555b4edbf5e8e68d9ce98
MD5 hash: 1c38c0b56969a81e7adf89eac12e0d0e
humanhash: march-papa-fourteen-kilo
File name:1c38c0b56969a81e7adf89eac12e0d0e
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'144'320 bytes
First seen:2021-10-08 07:32:43 UTC
Last seen:2021-10-08 09:05:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0dd592f35b48076810a8314d458b6b4b (6 x RedLineStealer, 4 x Smoke Loader, 1 x OskiStealer)
ssdeep 24576:jiwbzIFNHEG4k69HYz9Dft4yiRLSOJPUTYfeJuvpWDME7Ks:jiwbUBF1sRJJMTzvF
Threatray 6'148 similar samples on MalwareBazaar
TLSH T1D435231036DAC033E66F26700A64CAA54B3FBE656772924F6BF211FD5E65382D62C307
File icon (PE):PE icon
dhash icon a1bcdcac9cccb484 (6 x RedLineStealer, 5 x RaccoonStealer, 3 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c38c0b56969a81e7adf89eac12e0d0e
Verdict:
Malicious activity
Analysis date:
2021-10-08 07:35:10 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/d29c48fa-88d0-4d89-b9b5-745138b5015c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196076/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.18261.16101.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4c9ab402-a81b-4fce-9a57-975388e34d65
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/866944
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 07:26:01 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppzvrz577zblob4ypupbirs2l7mr7ncgrof3ltbl3ix5sxxyahiq._file
Verdict:
malicious
Similar samples:
0345531c814ad62c6c2c73de6fc6e540974fa5ddba3dcbeaa9a7850ad7929a76
DanaBot
0fa94fb3399528ee6652f3852baac8c399f267ed82ff74730881400494477a83
DanaBot
4b735599ef5aac480c58627f4b72af26cfe4b66c9a62ffd93998314ce27e9586
DanaBot
5d48b2614aaaebab4a97deafbd3117e2baa62aaf6a357003b10554e3caa60f5a
DanaBot
5f67a9e1b25d56cf1e7ba857b2cfc4be77db1e92ea8a32ee154e9322d96387f7
DanaBot
637d8c2a652b364d37a2d184e9e04ad252353370c9c1cb987410e6030dbdd5ae
DanaBot
889e79039dd2255f30d5e5244306b2b3c7108a4696478a4aeb6c9f3cc792b543
DanaBot
9c1060f235f5c568ca7461ead6d60926d416d18451b755efd3ab1465681e9d80
DanaBot
babcbf266a1bbb8c6ce3f339d767abb78821c0d71663186dafe7ada1da74e118
DanaBot
f66a32559056cd11d34d31ac48a4488de144daa4825d7292e85436601a177434
DanaBot
+ 6'138 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/211008-jdj4bsdfem/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.242.31:443
192.119.110.73:443
192.210.222.88:443
Unpacked files
SH256 hash:
7c4386b2dcb6aa06e3c5535411b17e728725563aec10a368b1bee8a5b8220a78
MD5 hash:
0a3dc3601e6f105a98315338aee8f9b0
SHA1 hash:
861a79d885fd7a3146a70651f11a5a09ddbb56b4
Link:
https://www.unpac.me/results/7b71614c-229e-489d-9443-3474539a5803/
SH256 hash:
5562e8e83bfb6b5b6711b019a280f85761d5ca68e39fc7d5ca3a720ad108e120
MD5 hash:
1b8e2b02d5eb41346cad299e1571cc87
SHA1 hash:
cf4ff5e75bb3ad214f0a3ff0de9252b337671f6a
Link:
https://www.unpac.me/results/7b71614c-229e-489d-9443-3474539a5803/
SH256 hash:
7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1
MD5 hash:
1c38c0b56969a81e7adf89eac12e0d0e
SHA1 hash:
cd0aed133aa9ac7f9ce555b4edbf5e8e68d9ce98
Link:
https://www.unpac.me/results/7b71614c-229e-489d-9443-3474539a5803/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7bf358e7bffe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1660814/
  
URLhaus
https://urlhaus.abuse.ch/url/1640605/
Cape
Cape
https://www.capesandbox.com/analysis/196076/

Comments


Avatar
zbet commented on 2021-10-08 07:32:44 UTC

url : hxxp://192.210.222.82/boopa.exe