MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82bc6f68889198d36209583c8a97b02db75d123c9d550bda1c7f790ab2b049fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82bc6f68889198d36209583c8a97b02db75d123c9d550bda1c7f790ab2b049fa
SHA3-384 hash: 2f1183308cf030d59e68263aa002aa3aefd2979759d24d6c132f23c1fa4db9d008d0c6db62b23c7475ddd3d9e60bcdb3
SHA1 hash: 88bc40170aa554bf3c7e17c5994ffcf62028a135
MD5 hash: c516067b40369f06a9616ea6eb4962ee
humanhash: johnny-mobile-texas-october
File name:c516067b40369f06a9616ea6eb4962ee
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'115'648 bytes
First seen:2021-08-18 00:48:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb816bdcb34642ae497d2f004d3c6914 (3 x RedLineStealer, 1 x DanaBot, 1 x Smoke Loader)
ssdeep 24576:evYSJHbQl1JXKYEGjrtU78yZXMUsNoKm6oQ/vozSml:oBJEBXKYEucHJMjoKm6oQYD
Threatray 4'093 similar samples on MalwareBazaar
TLSH T1D03523007581EA71CA8324B10462B7D596B8FD41EA499F577B9E3E0F2FB03E1D36A352
dhash icon 1036787872767e36 (4 x DanaBot, 3 x Smoke Loader, 2 x RaccoonStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c516067b40369f06a9616ea6eb4962ee
Verdict:
Malicious activity
Analysis date:
2021-08-18 00:48:27 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/69dd9117-7379-4061-9315-1a472ff9ebd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180172/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.2577.6597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7aafce5-70d0-4aca-bf3b-1cc55ec64020
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834795
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Enables a proxy for the internet explorer
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467226 Sample: U59er0YYuv Startdate: 18/08/2021 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected DanaBot stealer dll 2->60 62 3 other signatures 2->62 9 U59er0YYuv.exe 1 2->9         started        process3 file4 44 C:\Users\user\Desktop\U59ER0~1.EXE.tmp, PE32 9->44 dropped 74 Detected unpacking (changes PE section rights) 9->74 13 rundll32.exe 2 9->13         started        signatures5 process6 dnsIp7 50 23.229.29.48, 443, 49704, 49712 SERVER-MANIACA Canada 13->50 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->76 78 Bypasses PowerShell execution policy 13->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 13->80 17 rundll32.exe 10 24 13->17         started        signatures8 process9 dnsIp10 46 127.0.0.1 unknown unknown 17->46 48 192.168.2.1 unknown unknown 17->48 42 C:\Users\user\AppData\...\tmp7CA8.tmp.ps1, ASCII 17->42 dropped 64 System process connects to network (likely due to code injection or exploit) 17->64 66 Tries to harvest and steal browser information (history, passwords, etc) 17->66 68 Sets a proxy for the internet explorer 17->68 70 Enables a proxy for the internet explorer 17->70 22 powershell.exe 14 17->22         started        25 powershell.exe 17 17->25         started        27 schtasks.exe 1 17->27         started        29 schtasks.exe 1 17->29         started        file11 signatures12 process13 signatures14 72 Uses nslookup.exe to query domains 22->72 31 nslookup.exe 1 22->31         started        34 conhost.exe 22->34         started        36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        40 conhost.exe 29->40         started        process15 dnsIp16 52 localhost 31->52 54 8.8.8.8.in-addr.arpa 31->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82bc6f68889198d36209583c8a97b02db75d123c9d550bda1c7f790ab2b049fa/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 00:49:04 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qk6g62eisgmngyqjla6ivf5qfw3v2er4tvkqxwq4p54qvmvqjh5a._file
Verdict:
malicious
Similar samples:
4dbfdae091635ba9e56b2b0c4b25523e5e16e373786cfaa3065e0cea730746fb
DanaBot
55afea44e72acc36665531748a70a7b18cac5c9dfe49e1dda387cad2117b0486
DanaBot
a8680038c75e6993676a00c71a848abdd7def427d731ee7d46f9c583c37f6c2a
DanaBot
ac783ad55fbc3133892c6df4490d701b9493020971c95dae47983721115d6842
DanaBot
ad2c6dbce9ba2f0e44e632fea78a573eba6ebfb6f70303653b4ac046b32604eb
DanaBot
b1bcbf1efe10f8ea0f6133f664602c918c4a30d06f662c872791f990164054e5
DanaBot
b49b80f454063b976c97471ed7668ef31b95c97611b97c0eff87b0061048be7e
DanaBot
bdd0c7cbefda7e06ae77b73b86f97ce92ec35be89de53681f6aa9c8b6f1467d0
DanaBot
caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4
DanaBot
e19738a89a329be01099695a221c0d9885a728980cae42bed7625116469b4608
DanaBot
+ 4'083 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210818-xfddf5af26/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.229.29.48:443
152.89.247.31:443
192.210.222.81:443
Unpacked files
SH256 hash:
2a8fed74f6c4415bfd0fc497c1567051cc0b765bc78335785f26400d14558497
MD5 hash:
c575b9c67f1e6644144efb5d4af59925
SHA1 hash:
0b511743facc96a020ae8888e25497d116d9b616
Link:
https://www.unpac.me/results/cee6bf90-6e55-4542-a756-66ec8fff4ba7/
SH256 hash:
e338fd5186014462d2108383a3da62a100e5b075c496c1b0b61db184a75646cf
MD5 hash:
e7303553d24b6fd2d00bfbd336b6f14e
SHA1 hash:
4da3a9b017acdd13acc878bc731755d409dfe979
Link:
https://www.unpac.me/results/cee6bf90-6e55-4542-a756-66ec8fff4ba7/
SH256 hash:
82bc6f68889198d36209583c8a97b02db75d123c9d550bda1c7f790ab2b049fa
MD5 hash:
c516067b40369f06a9616ea6eb4962ee
SHA1 hash:
88bc40170aa554bf3c7e17c5994ffcf62028a135
Link:
https://www.unpac.me/results/cee6bf90-6e55-4542-a756-66ec8fff4ba7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/82bc6f688891/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82bc6f68889198d36209583c8a97b02db75d123c9d550bda1c7f790ab2b049fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 82bc6f68889198d36209583c8a97b02db75d123c9d550bda1c7f790ab2b049fa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1490082/
  
URLhaus
https://urlhaus.abuse.ch/url/1495647/
  
URLhaus
https://urlhaus.abuse.ch/url/1543037/
Cape
Cape
https://www.capesandbox.com/analysis/180172/

Comments


Avatar
zbet commented on 2021-08-18 00:48:12 UTC

url : hxxp://192.236.155.36/svhostss.exe