MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99df8e49e514931ebc8df66ca8fe265f80b2f9c09ce7b3e00a998c7db941a3c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	99df8e49e514931ebc8df66ca8fe265f80b2f9c09ce7b3e00a998c7db941a3c3
SHA3-384 hash:	64de46469e63627393a26e2088b95b739cfea5680d94cf5d6788bdd36770a95525a5735462f3ef1baa6884c664fb284f
SHA1 hash:	a0bc2dacd3452684a5cb60b2cef892c2e1c7dda7
MD5 hash:	75fb7de3e19774622cb81a36aee56f3a
humanhash:	yellow-mars-cat-wyoming
File name:	75fb7de3e19774622cb81a36aee56f3a.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'206'272 bytes
First seen:	2021-09-24 08:46:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3791a43698849237226e5f1b2f617635 (2 x RedLineStealer, 1 x Stop, 1 x DanaBot)
ssdeep	24576:QQsfbUc9ir9zSY9uq6OG4Xm4yzB4pE+Jg33U4PKClfuOs:6ZirsyudOG40zBF+YUIKClfZ
Threatray	5'683 similar samples on MalwareBazaar
TLSH	T18F4512107AB0C039F6F726FA5DB64268A4397DA06728C0CB67D42AE79574BD0DC7035B
File icon (PE):
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

75fb7de3e19774622cb81a36aee56f3a.exe

Verdict:

Malicious activity

Analysis date:

2021-09-24 08:58:35 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/19a5f28c-642b-4530-831f-dd1ec56f46da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191123/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.24803.17417.25163.UNOFFICIAL

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35ffaddc-912d-4f21-a6d9-5c849b252a4d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/857215

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99df8e49e514931ebc8df66ca8fe265f80b2f9c09ce7b3e00a998c7db941a3c3/

Threat name:

Win32.Exploit.Convagent

Status:

Malicious

First seen:

2021-09-24 08:47:10 UTC

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery spyware stealer trojan

Link:

https://tria.ge/reports/210924-kpw3psgdd8/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

23.254.144.209:443
192.236.194.86:443
142.11.192.232:443

Unpacked files

SH256 hash:

0d8ee462d17885dcf5889c637ac23fd769129905b41535bca0da17e3a954202c

MD5 hash:

0860e381d737300e45635e49f3f7fd93

SHA1 hash:

14d517ac8bf96c777b1c16ac6dd0921130a14ed8

Link:

https://www.unpac.me/results/d08f296c-548b-477a-985d-aa908971fa70/

SH256 hash:

792a6b5a7abb163e2840a5e9b7efbddde6cdcebd8fa09643cf2475b6d067fb3e

MD5 hash:

136ae16e9b22afb11a7c0e6c88cf7b5b

SHA1 hash:

0654d0eea92b144fc585433c08b9e46b41678fb1

Link:

https://www.unpac.me/results/d08f296c-548b-477a-985d-aa908971fa70/

SH256 hash:

99df8e49e514931ebc8df66ca8fe265f80b2f9c09ce7b3e00a998c7db941a3c3

MD5 hash:

75fb7de3e19774622cb81a36aee56f3a

SHA1 hash:

a0bc2dacd3452684a5cb60b2cef892c2e1c7dda7

Link:

https://www.unpac.me/results/d08f296c-548b-477a-985d-aa908971fa70/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/99df8e49e514/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99df8e49e514931ebc8df66ca8fe265f80b2f9c09ce7b3e00a998c7db941a3c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe 99df8e49e514931ebc8df66ca8fe265f80b2f9c09ce7b3e00a998c7db941a3c3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/191123/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample