MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments 1

SHA256 hash:	99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e
SHA3-384 hash:	6681dff365b9dbc945c9179fa06d368544dc68dcf213062d12093d074a1b66f22905c6770431c2159052a122e880a47c
SHA1 hash:	22a03fbc28e0dadf13e1ace67109b1dc3e91d0f5
MD5 hash:	18e0d922bead757af754e54cc744eaa0
humanhash:	march-carolina-network-november
File name:	18e0d922bead757af754e54cc744eaa0
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'119'744 bytes
First seen:	2021-08-16 18:47:45 UTC
Last seen:	2021-08-16 19:45:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e13582e50ecb7af95558f57b919f6a34 (2 x RaccoonStealer, 1 x DanaBot)
ssdeep	24576:gQ8nt67av7QEet8tYFKOYZDcdW1PIe+W15X1d:4nt6+vUEetcC7Y5cdW1PIe+GZ
Threatray	3'962 similar samples on MalwareBazaar
TLSH	T1E1352301B610C972C1EB57B014A2FEE1E0267AD1F1936D972BF6392F7FA03C192DA255
dhash icon	1036787c727e7636 (2 x Smoke Loader, 1 x RaccoonStealer, 1 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

18e0d922bead757af754e54cc744eaa0

Verdict:

Malicious activity

Analysis date:

2021-08-16 18:50:53 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/20a97d52-453c-40de-9f7a-2d6bedb56e47

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/179686/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.26375.1605.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

DNS request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/56fc177e-f92b-4c5b-bacd-94c19ba797db

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/833804

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e/

Threat name:

Win32.Trojan.DanaBot

Status:

Malicious

First seen:

2021-08-16 17:32:28 UTC

AV detection:

14 of 27 (51.85%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=thns44uhhnsekhf7w5vyiauwj3vbxbgpb7u6gjsqozz5ljjuybha._file

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210816-4nnnmt8lps/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

fce6ff1fa9c69c14fd3566e7aa9cec99c26c57313c5ca3dc0594319f0e720788

MD5 hash:

8b27ab375b85ba2516670f5b9ff1e91e

SHA1 hash:

cc378001fa10ae8ee8eb87b06efb92aa5330881b

Link:

https://www.unpac.me/results/67c8fc9f-c991-4cea-afee-1dfe26699755/

SH256 hash:

e4a25cde1a11d2aa99800b4240ad668599016e82d27dd99de57bd26859bf1704

MD5 hash:

1e57aba0f202da2acd7fd92473156d1c

SHA1 hash:

d211bd23e444d55ff217b47365ec10eb8ad3d762

Link:

https://www.unpac.me/results/67c8fc9f-c991-4cea-afee-1dfe26699755/

SH256 hash:

99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e

MD5 hash:

18e0d922bead757af754e54cc744eaa0

SHA1 hash:

22a03fbc28e0dadf13e1ace67109b1dc3e91d0f5

Link:

https://www.unpac.me/results/67c8fc9f-c991-4cea-afee-1dfe26699755/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 99db2e72873b64451cbfb76b8402964eea1b84cf0fe9e326507673d5a534c04e

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1490082/

URLhaus

https://urlhaus.abuse.ch/url/1495647/

URLhaus

https://urlhaus.abuse.ch/url/1461110/

URLhaus

https://urlhaus.abuse.ch/url/1539716/

Cape

https://www.capesandbox.com/analysis/179686/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-08-16 18:47:46 UTC

url : hxxp://104.168.148.6/progress.exe