MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 825d8e7afb11042951c61102a283326dfac5f1b0c6f990aadde69410ba250bba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	825d8e7afb11042951c61102a283326dfac5f1b0c6f990aadde69410ba250bba
SHA3-384 hash:	318f7e9fbb574d14f9a73919a97382d993898a8c4de07a2ec7de2e5be9353a85f070a68674fb8ff13e89864f1ab66d61
SHA1 hash:	86624e41f92eab4e30db0192720a095d92a6f16f
MD5 hash:	9345832a3823d9f08378ba32e4a179f5
humanhash:	vermont-wyoming-lithium-monkey
File name:	SecuriteInfo.com.Variant.Babar.111863.28690.26612
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'345'024 bytes
First seen:	2022-10-21 17:14:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	83aec8d33ff1d2ed6e490bde788f9850 (12 x Smoke Loader, 10 x RedLineStealer, 5 x CoinMiner)
ssdeep	24576:L2sTEwAcizJ5xMwYdMUi/LzaKFx61I8ufBzXYdpBL9miB1Mhm5KiszO:L2sTTMzJ5xMHdMUiyKF+7u5zXYdpZFL5
TLSH	T11A552321B581DC33E84EC8369075DB91BD70EC360456C68367B87B6E9D252E02BB778A
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	SecuriteInfoCom
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

358

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Babar.111863.28690.26612

Verdict:

No threats detected

Analysis date:

2022-10-21 17:15:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a04440e0-e866-4d98-9fe9-d66f9bb4391e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/322364/

Detection(s):

SecuriteInfo.com.Variant.Babar.111863.28690.26612.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

babar greyware lockbit packed smokeloader

Link:

https://www.filescan.io/uploads/6352d397b5f60e72b8c7c23f/reports/0bad8216-2ecd-4e03-9867-afc11adc75f6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6fffa1c-fac5-446a-ab14-b4dfaf5154b2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/825d8e7afb11042951c61102a283326dfac5f1b0c6f990aadde69410ba250bba/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-10-21 17:36:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qjoy46x3ceccsuogcebkfazsnx5ml4nqy34zbkw542kbborfbo5a._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/221021-vsjxnagad2/

Behaviour

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Blocklisted process makes network request

Danabot

Malware Config

C2 Extraction:

23.106.124.171:443
149.3.170.160:443
213.227.155.103:443
103.187.26.147:443

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/88eb63c2-1a95-4ea8-8d86-dcc8ed917c13

Unpacked files

SH256 hash:

12dec9980d87bcb72b158f4969e738540418184d7cb593606aeaa583c7e23fd7

MD5 hash:

665c019c7e55de8f3294693a245e0d0e

SHA1 hash:

e84b4f4e959f19c9379ea11bffd77a19b0d8b256

Link:

https://www.unpac.me/results/430e3ae0-f252-4ce0-adb7-a526f8edf862/

SH256 hash:

825d8e7afb11042951c61102a283326dfac5f1b0c6f990aadde69410ba250bba

MD5 hash:

9345832a3823d9f08378ba32e4a179f5

SHA1 hash:

86624e41f92eab4e30db0192720a095d92a6f16f

Link:

https://www.unpac.me/results/430e3ae0-f252-4ce0-adb7-a526f8edf862/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/825d8e7afb11042951c61102a283326dfac5f1b0c6f990aadde69410ba250bba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	win_danabot_cdf38827 Create hunting rule
Author:	Johannes Bader
Description:	detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 825d8e7afb11042951c61102a283326dfac5f1b0c6f990aadde69410ba250bba

(this sample)

Cape

https://www.capesandbox.com/analysis/322364/

URLhaus

https://urlhaus.abuse.ch/url/2381482/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample