MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97dd1a40479b38e1c9c4d719d67087cf7b5d5cf546ec379ca153902a593091f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97dd1a40479b38e1c9c4d719d67087cf7b5d5cf546ec379ca153902a593091f4
SHA3-384 hash: a5e07308c83bf9cf3ef5fe80a9ec5882171a8d7befe8e524ee0bdbd959a49e851de37e115140ef5c083fc520f6be9353
SHA1 hash: 2724d308565dac054db177217b9cc3b5996ffc68
MD5 hash: 686e868d531352b9031c6a083c211dc4
humanhash: beryllium-crazy-missouri-fillet
File name:686e868d531352b9031c6a083c211dc4.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'187'840 bytes
First seen:2021-09-20 17:57:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d0a8c3f24685503ba25bd76f34c13b9e (8 x RedLineStealer, 3 x RaccoonStealer, 2 x DanaBot)
ssdeep 24576:u2cfxr59VRhvS0mBxy+RJKJVddoL1K2A0fvm8xSPdS:C7RVSVBxyuKoUs+1dS
TLSH T160451220BAE1D031E9B312F869BE57B8593D3E715B3451CB72E53AEA66342E48C31347
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
686e868d531352b9031c6a083c211dc4.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 17:58:20 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/3e54f7b0-2831-4de8-a9a0-f0270e246726

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189557/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.23360.1237.15427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a window
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99a297bc-e3d4-4742-a6d0-5c9fc93c1a26
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/854356
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97dd1a40479b38e1c9c4d719d67087cf7b5d5cf546ec379ca153902a593091f4/
Threat name:
Win32.Infostealer.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:57:19 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210920-wj6whahddj/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
23.254.144.209:443
23.254.227.74:443
192.255.166.212:443
Unpacked files
SH256 hash:
f2e88adc551376ca5b42594495d4f78ab09359a75ebca871fb295616765df785
MD5 hash:
fba9dd685588531822463b958185dbe2
SHA1 hash:
6334e764d3caea5efd3b80615b12775708c47e83
Link:
https://www.unpac.me/results/89e47792-6bd2-475a-98d4-96c7561022a3/
SH256 hash:
c52824653b01577dbaa4a99bd55090b657ab8c58adc54edd1e0164949b772848
MD5 hash:
cd86773cede3550417aced7518c8d07a
SHA1 hash:
f777b445a09e091d86f3648aee25447661bcc2c5
Link:
https://www.unpac.me/results/89e47792-6bd2-475a-98d4-96c7561022a3/
SH256 hash:
97dd1a40479b38e1c9c4d719d67087cf7b5d5cf546ec379ca153902a593091f4
MD5 hash:
686e868d531352b9031c6a083c211dc4
SHA1 hash:
2724d308565dac054db177217b9cc3b5996ffc68
Link:
https://www.unpac.me/results/89e47792-6bd2-475a-98d4-96c7561022a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97dd1a40479b38e1c9c4d719d67087cf7b5d5cf546ec379ca153902a593091f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 97dd1a40479b38e1c9c4d719d67087cf7b5d5cf546ec379ca153902a593091f4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1635827/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189557/

Comments