MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
SHA3-384 hash: 18459a95f9465e51617bb487f36ff21609108a8c64acfee3af6d0076db09a9af16adde4a2af1d1ff51191826fc066e19
SHA1 hash: 56d31a23594d12f9f0fdd3350a0a6b5bdcc4b980
MD5 hash: 25a6cb0f02405cdb54aef3696a91d405
humanhash: ten-cup-oven-fish
File name:25a6cb0f02405cdb54aef3696a91d405
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'607'843 bytes
First seen:2021-09-09 06:39:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 196608:56NRS1fl4D//vZ1qeDG9p4nfQythL5mnnbrF:cHel4DiP98bibrF
Threatray 5'168 similar samples on MalwareBazaar
TLSH T1A6663308EDB2E4F6E1A43D78D879BED8862D65600125879FAE05CD823C56903DDF9E0F
dhash icon 48b876e6dc81e228 (1 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
612
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cracknet.net
Verdict:
Malicious activity
Analysis date:
2021-09-09 00:26:09 UTC
Tags:
evasion trojan rat azorult stealer raccoon loader fareit pony redline vidar danabot
Link:
https://app.any.run/tasks/3ce3f7e0-617e-4f17-a168-1a42a186a013

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186504/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Deleting a recently created file
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% subdirectories
DNS request
Sending a UDP request
Connection attempt
Sending an HTTP GET request
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca7dc230-35da-4491-a01d-0448d404b8bf
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/847860
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480291 Sample: UOB8x5iZ86 Startdate: 09/09/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 5 other signatures 2->64 7 UOB8x5iZ86.exe 25 2->7         started        10 IntelRapid.exe 2->10         started        13 IntelRapid.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Local\...\teemer.exe, PE32+ 7->32 dropped 34 C:\Users\user\AppData\Local\...\dosselvp.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->36 dropped 38 3 other files (none is malicious) 7->38 dropped 15 dosselvp.exe 3 18 7->15         started        20 teemer.exe 4 7->20         started        76 Query firmware table information (likely to detect VMs) 10->76 78 Hides threads from debuggers 10->78 80 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->80 signatures5 process6 dnsIp7 42 ip-api.com 208.95.112.1, 49738, 80 TUT-ASUS United States 15->42 28 C:\Users\user\AppData\...\ltclnuemsgi.vbs, ASCII 15->28 dropped 46 Antivirus detection for dropped file 15->46 48 Multi AV Scanner detection for dropped file 15->48 50 Query firmware table information (likely to detect VMs) 15->50 56 3 other signatures 15->56 22 wscript.exe 12 15->22         started        44 192.168.2.1 unknown unknown 20->44 30 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 20->30 dropped 52 Hides threads from debuggers 20->52 54 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->54 26 IntelRapid.exe 20->26         started        file8 signatures9 process10 dnsIp11 40 iplogger.org 88.99.66.31, 443, 49739 HETZNER-ASDE Germany 22->40 66 System process connects to network (likely due to code injection or exploit) 22->66 68 May check the online IP address of the machine 22->68 70 Query firmware table information (likely to detect VMs) 26->70 72 Hides threads from debuggers 26->72 74 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->74 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e/
Threat name:
Win32.Trojan.AntiVM
Create hunting rule
Status:
Malicious
First seen:
2021-09-09 06:40:18 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
01b45d40b3c0e6eb46294b021f2a681572ae10e63b48a38c7e02efcf1ce24591
DanaBot
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
DanaBot
82986179159fb1244b89a23ab01b915fe1c24407712c156a087fe902572a4a8f
DanaBot
a1226fa2480bd40c0490b5ce5e1407f663a27cbbb77187d70dc8557d78d46c5c
DanaBot
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
DanaBot
c1a8d0767c3eee51e264da05003007415326296636a74e143056e7e2fea7dc51
DanaBot
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
DanaBot
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
DanaBot
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
DanaBot
+ 5'158 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker evasion themida trojan
Link:
https://tria.ge/reports/210909-he9vpsahaq/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Unpacked files
SH256 hash:
cc6a5cc69fec94fdbec072312472784be06699685c79b7e2e84841a71df8d72a
MD5 hash:
925bae07645c7ce69085b8f89de1863f
SHA1 hash:
6098f99e1c424dd7225e15a51b7689be7ddf415a
Link:
https://www.unpac.me/results/3330698f-fe0a-4f28-a668-ccec5a9e5ce8/
SH256 hash:
81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
MD5 hash:
25a6cb0f02405cdb54aef3696a91d405
SHA1 hash:
56d31a23594d12f9f0fdd3350a0a6b5bdcc4b980
Link:
https://www.unpac.me/results/3330698f-fe0a-4f28-a668-ccec5a9e5ce8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/186504/
  
URLhaus
https://urlhaus.abuse.ch/url/1604580/

Comments


Avatar
zbet commented on 2021-09-09 06:39:14 UTC

url : hxxp://eloqos04.top/downfiles/lv.exe