MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9df8e6befb48719199a51cc8a44b95a2442028a85022a7e63b41dec136552780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9df8e6befb48719199a51cc8a44b95a2442028a85022a7e63b41dec136552780
SHA3-384 hash: be798b3b24fb4420555b736c59961d3590f66e53b19816b889d9df17d0343c7ffcffc6ecaf7d509cc0bf6e9e023c021b
SHA1 hash: 30c42e469f0989d62e7fd5d406f80b37a864e04e
MD5 hash: 97c4dfbf43ac3d375e13212688bdb757
humanhash: jupiter-december-sweet-october
File name:97c4dfbf43ac3d375e13212688bdb757.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'213'632 bytes
First seen:2021-03-26 15:07:12 UTC
Last seen:2021-03-26 16:42:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e28a937bb48c61685c1a8399bd66bc44 (1 x DanaBot, 1 x ArkeiStealer)
ssdeep 98304:oATn3yP6xmy5sy/JnOPgRZtiKmrMeT16Qkvn1KlgF10b5tkHzTwm/1QZHAZx76pE:Rn3ySkyjgPgRMYm16Qkvkk1KL2naZH2z
TLSH 3D56331431D4E4B1F59F2972A922C9B0697EBC7A213AFD4E73F1167B1F705D2A212B08
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97c4dfbf43ac3d375e13212688bdb757.exe
Verdict:
No threats detected
Analysis date:
2021-03-26 19:29:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74854e29-df4d-4407-a108-7e5cb0d2e740

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127057/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.13480.5459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Sending a UDP request
Modifying an executable file
Changing a file
Creating a file in the %temp% directory
Sending a custom TCP request
Connection attempt to an infection source
Infecting executable files
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e2d1fb4-c5d0-4d9b-bd27-5392b79dbece
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655147
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9df8e6befb48719199a51cc8a44b95a2442028a85022a7e63b41dec136552780/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-26 15:08:09 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tx4onpx3jbyzdgnfdtekis4vujccakfikarkpzr3ihpmcnsve6aa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210326-53aehtqalx/
Unpacked files
SH256 hash:
843c1f0fa377e93dd31411ba54c28898370dac02e9e7100216adecb09cb2c13d
MD5 hash:
1fba6ad6cbed368a9c543675c4e23f7f
SHA1 hash:
bdca3028a87d03685f98acfd5aa2039182ddfb18
Link:
https://www.unpac.me/results/eaea9bd0-3677-41d7-9f48-a31574c0406e/
SH256 hash:
0a2747afcda03c3cf657bdf24b61df48bd8f849f5547fbdfb729cd7c4f110a3c
MD5 hash:
7d4530d8bef3fb99084fcbee10352741
SHA1 hash:
802751236b0d9cdb213eed4d427162ea960b5e01
Link:
https://www.unpac.me/results/eaea9bd0-3677-41d7-9f48-a31574c0406e/
SH256 hash:
b121913beb2d79705591b3afb7210b0725c5969273891047ea1375babe7a8371
MD5 hash:
a18ef62d5c83a945e61401e223327276
SHA1 hash:
7e71846c3abc935e66da0be8f34da50c015e259c
Link:
https://www.unpac.me/results/eaea9bd0-3677-41d7-9f48-a31574c0406e/
SH256 hash:
9df8e6befb48719199a51cc8a44b95a2442028a85022a7e63b41dec136552780
MD5 hash:
97c4dfbf43ac3d375e13212688bdb757
SHA1 hash:
30c42e469f0989d62e7fd5d406f80b37a864e04e
Link:
https://www.unpac.me/results/eaea9bd0-3677-41d7-9f48-a31574c0406e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9df8e6befb48719199a51cc8a44b95a2442028a85022a7e63b41dec136552780

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 9df8e6befb48719199a51cc8a44b95a2442028a85022a7e63b41dec136552780

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1091411/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127057/

Comments