MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2
SHA3-384 hash: 5359219fddc10830336dcdcdc6ea671ea74afa7437a379c4e8a1cafec932d344b167b170543d50b01b29d2390b143f56
SHA1 hash: 87d911b5224a3063e79bfeb43e85a8ae3803681c
MD5 hash: 5ebbdd238198f4cc3825190b41dd75ed
humanhash: snake-tennessee-batman-lemon
File name:5ebbdd238198f4cc3825190b41dd75ed.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'153'728 bytes
First seen:2021-03-25 11:08:35 UTC
Last seen:2021-03-25 12:42:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d0fb6a9cd0350f8c1dc179cb6c71fe47 (5 x DanaBot, 2 x Loki, 2 x RaccoonStealer)
ssdeep 98304:jmiqinrds1sg8fz+/iisDwozSKUhB50puwy521pHhpAFhNrvgHERKQKeva93M:j+inrds1sP6/iiscoWKZMZs1bpoRhJzj
Threatray 37 similar samples on MalwareBazaar
TLSH F056331532D5C1B6E5699A3A0204D3724C67BDF2370E8FC7AF421F5C6DA2B8356292CB
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
361
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ebbdd238198f4cc3825190b41dd75ed.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-25 11:45:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba461b5c-e42f-4ece-b834-6712906aeb7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Mal.GandCrypt-A.15484.10977.UNOFFICIAL
Create hunting rule

Win.Malware.Raccoon-9846892-1
Create hunting rule

Win.Malware.Glupteba-9846893-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Forced system process termination
Connection attempt
Deleting a recently created file
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Modifying an executable file
Changing a file
Creating a file in the %temp% directory
Reading critical registry keys
Sending a TCP request to an infection source
Infecting executable files
Unauthorized injection to a system process
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/653800
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2/
Threat name:
Win32.Trojan.Mokes
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 11:09:10 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhv7zw7xkb2f3kqi3i7eyxcw3nhxrialrqxizidkdmmtop7yjwra._file
Verdict:
malicious
Similar samples:
0aeac7d32fcb6e48bd9f2a73d6a01a76472ce4ce7962f99979e5f2c2d150fe39
DanaBot
12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
DanaBot
5288d023c4a8127ed105f7d8b9142aab47dc505efc5b6a81e8c9367f0465c03a
DanaBot
558b7e82732b72e64fa83f6acbeab78e90ea7e3a9fc91e54d326c2304f2433b9
DanaBot
5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec
DanaBot
6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e
DanaBot
7ceb6d9e04042cd53b9c374e69cbf22e05edff6571a01610b844963d881e1057
DanaBot
d2b1b74b9bfbb426d4d43ba2271de2bc48a1ed5f5bcf9ce8fa24312266b4dddf
DanaBot
e1043b597d99a6553919b8e0d8e265aa6dd2f2004d63c57686d3e4dfca13505e
DanaBot
e65e644d9e4644fce4b66e7c85fb16c9be1533b73fd0bec78b6f048c6a21ad9b
DanaBot
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210325-rwvxjzh1dn/
Unpacked files
SH256 hash:
b83c78d9d2359fed4750af7316f2600309a1affcb865a3ffcf9e8c469a130f73
MD5 hash:
853e7ca8d2efe955111f597a16713be8
SHA1 hash:
ad896a4259dcc1e3ee4f9e57accc1a8626cc622f
Link:
https://www.unpac.me/results/76c7f469-773f-44e2-ad49-73f780556247/
SH256 hash:
52fa57ba3eb06506c3c83dd6ca8606cda817b57463888f0bf7ff41e6cb9c60d0
MD5 hash:
499c1883fe5cd0717bed5c01110a8e7b
SHA1 hash:
63202c0382e6fa9042923fae95865d71f1957a7c
Link:
https://www.unpac.me/results/76c7f469-773f-44e2-ad49-73f780556247/
SH256 hash:
abfac14e797f3174d7d7b31caf7fd1ad1f92bf6054bd7531fb4cbc9edf97bce3
MD5 hash:
08cd8be8d5fc02cbaaf3e3bd469400e5
SHA1 hash:
d0af57e367902e6afb8a5f3605bb5406be97339b
Link:
https://www.unpac.me/results/76c7f469-773f-44e2-ad49-73f780556247/
SH256 hash:
89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2
MD5 hash:
5ebbdd238198f4cc3825190b41dd75ed
SHA1 hash:
87d911b5224a3063e79bfeb43e85a8ae3803681c
Link:
https://www.unpac.me/results/76c7f469-773f-44e2-ad49-73f780556247/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1090350/
  
Delivery method
Distributed via web download

Comments