MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 991c4166a2246ca5ae9186a1e747f5eb767fdbd304dbfa1c5f4a2019cb6b4aec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 991c4166a2246ca5ae9186a1e747f5eb767fdbd304dbfa1c5f4a2019cb6b4aec
SHA3-384 hash: 56bdce187b495d53e4b464ab0c0c017615c02f4c6157641160f67388cb74d761f8abffdd77222da93ae86716e43deb2f
SHA1 hash: 56fa215a2bb79c4be249fc5a795cde3d22235c64
MD5 hash: bb9d11be90b38cb1c6c7f2f47f217700
humanhash: victor-oranges-east-colorado
File name:SecuriteInfo.com.Win32.Packed.Enigma.EY.26758
Download: download sample
Signature DanaBot
Create hunting rule
File size:8'304'128 bytes
First seen:2020-06-25 12:39:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a2b741f7f26c0d0238b178bc61e786f (2 x DanaBot)
ssdeep 196608:YwKRkMIULgQBcNqLXF3pRYpSDTaoa6vJr3UxfIg/:JKRpuSXFISa6dy/
Threatray 23 similar samples on MalwareBazaar
TLSH E48633774AB02587C78D827A26940B9C1E0E81CD46F58B4F717B385BEDB1EA7680C673
Reporter SecuriteInfoCom
Tags:DanaBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'027
Origin country :
n/a
Vendor Threat Intelligence
Detection:
OlympicDestroyer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14272/
Detection(s):
SecuriteInfo.com.Win32.Packed.Enigma.EY.26758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Creating a file
Creating a process from a recently created file
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Reading critical registry keys
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Replacing files
Delayed writing of the file
Delayed reading of the file
Sending a custom TCP request
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/991c4166a2246ca5ae9186a1e747f5eb767fdbd304dbfa1c5f4a2019cb6b4aec/
Threat name:
Win32.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 13:37:51 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=teoeczvcerwkllurq2q6or7v5n3h7w6tatn7uhc7jiqbts3ljlwa._file
Verdict:
malicious
Similar samples:
34e142c3ca75844c48639cfc8f60513d23c02a65addef3bce69f5b49b34277a1
DanaBot
5b5eab7a12fdfc6cc39e39193b7a9020ee46e72acac70033236ef9b6b2da32c7
DanaBot
5ef8714caf9c7296847b67b27edb93c3aec23d7e77b57d23d0e8607d707a2c49
DanaBot
8499aa17997bfbe03592e33e82df1c674f1b57ba3d372355e690b9468ea6fea2
DanaBot
85d879be258470ed22d55bb6fda8be5d0b7d480c23d95b252516e85ccad2fec4
DanaBot
aeb1bfcef382789091e72e2d6cae6e471123d0e8e7a5f39c64abf5a3d9a4eaa8
DanaBot
c2a307a15f392b72cc51b12a1061c6ad7a2e76843754ee3d2e7b8ba0bc17e540
DanaBot
e3bb8c334350185803b3863f71d6fced186b373e8768bb537e371dff11f74386
DanaBot
ec837014dcb222fd3780d0730e297c9a09786cc57a42a9da092c9199c1f9660b
DanaBot
f4901daf97516f9a9b54233dd81810398de07db40d47072f37d90b4225387fd2
DanaBot
+ 13 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
botnet spyware evasion trojan banker family:danabot discovery
Link:
https://tria.ge/reports/200625-51me5jnfvj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Checks whether UAC is enabled
Checks for installed software on the system
Modifies system certificate store
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency wallets, possible credential harvesting
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Blacklisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot x86 payload
Danabot
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Unknown_PWDumper_Apr18_3
Create hunting rule
Author:Florian Roth
Description:Detects sample from unknown sample set - IL origin
Reference:Internal Research
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14272/

Comments