MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments 1

SHA256 hash:	7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
SHA3-384 hash:	6e312ec4b160ffde5673545568e8e086d65a87299e2ad527714bd146d3aacb1ca33c14fee6a4e3330ad1978413c9eb5d
SHA1 hash:	ee9da83f51b904db29d14847a013c4cff7ea6711
MD5 hash:	f8151b5d4c4e62166a8c2e914f54cbb7
humanhash:	cold-artist-autumn-maine
File name:	f8151b5d4c4e62166a8c2e914f54cbb7
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'164'800 bytes
First seen:	2022-01-08 16:08:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3f07075ef838296be9ff2ad3cf3a6bc2 (2 x RedLineStealer, 1 x KPOTStealer, 1 x ArkeiStealer)
ssdeep	24576:xEsbnZPBs/qcdQHsqWr+c6NKuSOxHsKRKUkMwlxCQ9Z4h:xvzZPBs/qOQHPWr+cEKR6MKRKxMwXj9M
Threatray	482 similar samples on MalwareBazaar
TLSH	T1C645236033F2D830E8F649B10575D7E19E3FF8421510925EBB18339A5F73DA66A2A327
File icon (PE):
dhash icon	fcfcf4d4d4d4d8c0 (41 x RedLineStealer, 30 x RaccoonStealer, 9 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

630

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f8151b5d4c4e62166a8c2e914f54cbb7

Verdict:

Malicious activity

Analysis date:

2022-01-08 16:13:36 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6ac65bea-fe7c-4622-a454-25dcecbb1d9f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/217841/

Detection(s):

Win.Dropper.Tofsee-9919472-0

Win.Dropper.Lockbit-9919572-0

Win.Malware.Stopcrypt-9933337-0

Win.Dropper.Tofsee-9934046-0

Win.Dropper.Tofsee-9934861-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

DNS request

Launching a process

Creating a process with a hidden window

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/3874/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed tofsee

Link:

https://www.filescan.io/uploads/61d9b72202e388f9fdb6cbd3/reports/1f2db39c-f855-4eb1-9c51-5566e79b0aef/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7aa8fda3-761b-4431-91ef-93785195f2b1

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/917163

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2022-01-08 15:50:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pu5s5eodz6yw34bpmo4xhru2ebd3qaysswsj4t77ud5nhw5joxya._file

Verdict:

malicious

DanaBot

6777ebe2c39e27f0bee03860b02a8ac080e3ab98375d933d6bb4ca792cc046ba

DanaBot

7e1f0af96408d36f43a2325adc3b36fe795f9e579befdabd4210ede420c9905d

DanaBot

972b6465a8dd0ff9e1ec5354c9b6d028f71b0505dcd3388f5edf9976071708c2

DanaBot

a4b1ad9683d5208a4cef9cd3aa5a055007e88d9f712163ea599feb23f6f43e0c

DanaBot

a6f23f333a1c8eab33961660887f4ebb84f12451db4d8f94c1c01fe5dca71ae8

DanaBot

bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81

DanaBot

d7199616185a4d6187eb375c778dd4e5327df6a5e51018770addb54705732d88

DanaBot

f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88

DanaBot

+ 472 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker trojan

Link:

https://tria.ge/reports/220108-tlsesadefn/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

192.119.110.4:443
192.236.194.72:443

Unpacked files

SH256 hash:

916fe5393412e45decc9e4af37255738dec2386602b3fdc9123689e471b1792f

MD5 hash:

cb279827ba2fbad4255549af48dbf33c

SHA1 hash:

eadd809914b9756d8f89bacf17637dab25156045

Link:

https://www.unpac.me/results/2404e8dc-2077-4627-9f8b-14110e889829/

SH256 hash:

46610fba93612d077a1ec40bd7176a1329713766077708ef4228d3994e32fdac

MD5 hash:

28082b3c42b9b2261c903a793dfc1c4b

SHA1 hash:

2b761a0b4c042ad536b2273fd6646d00497b84fe

Link:

https://www.unpac.me/results/2404e8dc-2077-4627-9f8b-14110e889829/

SH256 hash:

7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

MD5 hash:

f8151b5d4c4e62166a8c2e914f54cbb7

SHA1 hash:

ee9da83f51b904db29d14847a013c4cff7ea6711

Link:

https://www.unpac.me/results/2404e8dc-2077-4627-9f8b-14110e889829/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1957950/

Cape

https://www.capesandbox.com/analysis/217841/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-01-08 16:08:13 UTC

url : hxxp://152.89.247.194/permit.exe