MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e1f0af96408d36f43a2325adc3b36fe795f9e579befdabd4210ede420c9905d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	7e1f0af96408d36f43a2325adc3b36fe795f9e579befdabd4210ede420c9905d
SHA3-384 hash:	991c8ed290830e6391b975c8529eae03b99b5d09ba3f0d2f5f52b654ebed4f41242a2905a380006bb95064ca39836d74
SHA1 hash:	7fb64960288a64b4fce3aee650d2d84efb9a8f8f
MD5 hash:	2ac6d3832ea60acf4e1bafe3ed4081a1
humanhash:	fanta-oranges-yankee-magazine
File name:	2ac6d3832ea60acf4e1bafe3ed4081a1.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'915'392 bytes
First seen:	2021-11-21 11:05:00 UTC
Last seen:	2021-11-21 13:11:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4dd2fc3c2bc0f7f37512a211d153f86 (2 x Smoke Loader, 1 x DanaBot, 1 x CryptBot)
ssdeep	49152:uQlnpoyJwlry1E5ck54NpY6Y9xARpeMyn1obTis6yHX:uQlnpoyeryui822U/tmIB6
Threatray	7'453 similar samples on MalwareBazaar
TLSH	T1489522106390C039E1F615B886A6A3A8F8FE7AB0A72415DF66D656EE5F306D0FC31347
File icon (PE):
dhash icon	5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

432

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2ac6d3832ea60acf4e1bafe3ed4081a1.exe

Verdict:

Malicious activity

Analysis date:

2021-11-21 11:06:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/55ea4b4e-724e-4c53-9ee0-0926736a03c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.12781.17097.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619a27e1398e2553d2ffb358/reports/98eac82a-5194-441b-8f83-57707a1dfc93/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7cc548f1-13f5-49f7-8b13-e30b76a695f9

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/893272

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e1f0af96408d36f43a2325adc3b36fe795f9e579befdabd4210ede420c9905d/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2021-11-21 11:05:06 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pypqv6lebdjw6q5cgjnnyozw7z4v7hsxtpx5vpkccdw6iigjsboq._file

Verdict:

malicious

DanaBot

42e22bf3a9630d312d795db190f16cb7f0d3b51b9903695ed678dfc190240345

DanaBot

4a22c0f9ba13ab18950c865a0d164a9840359712c76501e5f64f54e740441a79

DanaBot

4f4432ad4cc8c5d43dd2fe135717bdd65f417f91ada36cee4ae8f9af0269f8cb

DanaBot

8d535ed155eee819382c1ba943ea3839e72f649d5d7bcfc08fd62729be8159d3

DanaBot

bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81

DanaBot

f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88

DanaBot

+ 7'443 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211121-m6vbjsdgen/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

142.11.244.223:443
23.106.122.139:443
192.119.110.73:443

Unpacked files

SH256 hash:

3051d1da2d04bffe8a21d8e6e2495d6b8d16415f4559964799275f5d236113fe

MD5 hash:

62e335711bf2eebb86208047a1e78226

SHA1 hash:

74231979e18270f11d0e11efd3571ed935e0cd22

Link:

https://www.unpac.me/results/1ac8e072-980b-48da-8b6c-1c67f38125a2/

SH256 hash:

a71434038bfc4dc2f3c8a92c38a7e271b97e8d6d5f9c3be92309df2ff8c50a92

MD5 hash:

12cf737d0b5cf1733d82750c7a47767c

SHA1 hash:

3b3bc7e2f23ec759dcaa7d54147d9a27b3fd243e

Link:

https://www.unpac.me/results/1ac8e072-980b-48da-8b6c-1c67f38125a2/

SH256 hash:

7e1f0af96408d36f43a2325adc3b36fe795f9e579befdabd4210ede420c9905d

MD5 hash:

2ac6d3832ea60acf4e1bafe3ed4081a1

SHA1 hash:

7fb64960288a64b4fce3aee650d2d84efb9a8f8f

Link:

https://www.unpac.me/results/1ac8e072-980b-48da-8b6c-1c67f38125a2/

Malware family:

BazarLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7e1f0af96408/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e1f0af96408d36f43a2325adc3b36fe795f9e579befdabd4210ede420c9905d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 7e1f0af96408d36f43a2325adc3b36fe795f9e579befdabd4210ede420c9905d

(this sample)

Cape

https://www.capesandbox.com/analysis/207882/

URLhaus

https://urlhaus.abuse.ch/url/1772785/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample