MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 897a894564a26c39e18d2e23369815d5b088f218ce0be2516cda74a6d13c87f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	897a894564a26c39e18d2e23369815d5b088f218ce0be2516cda74a6d13c87f7
SHA3-384 hash:	4d1566f53169d119508317ec24a177efa25e06ec15df5bd3612eae7d0ec50053d9d06a51aca8f5cf9137f45cb8eb9cf0
SHA1 hash:	6466a6bd10b724cb385535eef5f74fe77563f1e3
MD5 hash:	3834e42821256917ff876c71169ebab0
humanhash:	paris-avocado-one-wolfram
File name:	3834e42821256917ff876c71169ebab0.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'221'120 bytes
First seen:	2021-10-08 04:50:58 UTC
Last seen:	2021-10-08 06:10:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	54bf62ec6910c4bfd61455c421ef149b (4 x RedLineStealer, 3 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep	24576:LM+nbnG9sJmkNLQeulS00YHgLi1WxLuVuzUmjf4L2qat2a40MGye:L7TGK02SlmK+LuQIa4LCt2ah
Threatray	6'056 similar samples on MalwareBazaar
TLSH	T1CE451210E7A0C034F4B752F4567AA7BDA92E39E0972884CF62D41AEA8775BD0EC31717
File icon (PE):
dhash icon	e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3834e42821256917ff876c71169ebab0.exe

Verdict:

Malicious activity

Analysis date:

2021-10-08 05:04:10 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/c686e6ab-f1ee-4d5f-9468-1a758c53a921

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196028/

Detection(s):

SecuriteInfo.com.Artemis3834E4282125.22665.3326.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/615fce3db95458900cdee19d/reports/90f9d278-f2c1-4cc6-84da-9e4913e45875/overview

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c38e169-f79e-45ac-9113-1c7ffe05ba99

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/866859

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/897a894564a26c39e18d2e23369815d5b088f218ce0be2516cda74a6d13c87f7/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2021-10-07 19:40:12 UTC

AV detection:

13 of 28 (46.43%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rf5isrleujwdtymnfyrtngav2wyir4qyzyf6eulm3j2knuj4q73q._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211008-fgt6xsddgn/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

142.11.242.31:443
192.119.110.73:443
192.210.222.88:443

Unpacked files

SH256 hash:

b1785d7d9c1741781e0a9fd85c4dbeabdbcfb6c6de8b572e97350cb8b80c184b

MD5 hash:

39116dbb2376cf27afed782559d57d31

SHA1 hash:

84e44b611d2f49b39d0a7f1ffbec8d605e92a68c

Link:

https://www.unpac.me/results/950a08ed-e900-4db8-b7ae-5faba3c88749/

SH256 hash:

37f9654b4378bbe0fbc74b502b96ee3458a0d1eb98967ee0a50df022b3a29754

MD5 hash:

600def61e2fbb167773269c5c8f0996b

SHA1 hash:

d409bfd4ba0505a51eb7a72863491e5fe8765dc3

Link:

https://www.unpac.me/results/950a08ed-e900-4db8-b7ae-5faba3c88749/

SH256 hash:

897a894564a26c39e18d2e23369815d5b088f218ce0be2516cda74a6d13c87f7

MD5 hash:

3834e42821256917ff876c71169ebab0

SHA1 hash:

6466a6bd10b724cb385535eef5f74fe77563f1e3

Link:

https://www.unpac.me/results/950a08ed-e900-4db8-b7ae-5faba3c88749/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/897a894564a26c39e18d2e23369815d5b088f218ce0be2516cda74a6d13c87f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 897a894564a26c39e18d2e23369815d5b088f218ce0be2516cda74a6d13c87f7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/196028/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample