MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d
SHA3-384 hash: eb105f10e9c87fe563af63ce89dc38d0f6568e0ba87ba8609e79bd4b324fb66714380d77330bb88dca071379a6b0c8e6
SHA1 hash: 76228ef3173b003f0319cfc3a4e6ee9c51ace683
MD5 hash: b75e734845e212357778571c255f90bb
humanhash: table-six-emma-south
File name:b75e7348_by_Libranalysis
Download: download sample
Signature DanaBot
Create hunting rule
File size:9'775'104 bytes
First seen:2021-05-03 08:00:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f80c86f30aa29f3b39139a80f1f1214 (1 x DanaBot)
ssdeep 98304:z6FfavP/R1YPGWlHh5OwSSP1oaBBLAIKL9RMqgUDklB2LYNSRM5CBl:z6VYhcNlHhwwSxagXbzDMAhM
Threatray 54 similar samples on MalwareBazaar
TLSH FEA602FB40601832FAC56D7A872C1F54F6F22022DAB21995A83D71CD2EF62F534E951E
Reporter Libranalysis
Tags:DanaBot


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://unclaimedfinder.net/frog.php?fn=Firstname&ln=Lastname&st=Florida
Verdict:
Malicious activity
Analysis date:
2021-04-30 00:07:09 UTC
Tags:
trojan danabot stealer
Link:
https://app.any.run/tasks/55684c10-55c3-4f3b-86c2-8db66493246e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148289/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Changing a file
Modifying an executable file
Creating a file in the %temp% directory
Sending a custom TCP request
Infecting executable files
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/707411
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402629 Sample: b75e7348_by_Libranalysis Startdate: 03/05/2021 Architecture: WINDOWS Score: 64 28 localhost 2->28 30 8.8.8.8.in-addr.arpa 2->30 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected DanaBot stealer dll 2->42 44 Machine Learning detection for sample 2->44 46 PE file has a writeable .text section 2->46 9 loaddll32.exe 1 2->9         started        signatures3 process4 process5 11 iexplore.exe 1 73 9->11         started        13 regsvr32.exe 9->13         started        15 cmd.exe 1 9->15         started        17 12 other processes 9->17 process6 19 iexplore.exe 11->19         started        22 rundll32.exe 13->22         started        24 rundll32.exe 15->24         started        dnsIp7 32 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49738, 49739 FASTLYUS United States 19->32 34 geolocation.onetrust.com 104.20.184.68, 443, 49726, 49727 CLOUDFLARENETUS United States 19->34 38 9 other IPs or domains 19->38 36 127.0.0.1 unknown unknown 22->36 26 rundll32.exe 24->26         started        process8
Detection:
danabot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubfpp6z3ksb5feqjhunwpnxnjfwvmq3jqeq4at7nvik6qb4losgq._file
Verdict:
malicious
Similar samples:
0bd3e2289f0899ce7978056ad9a96bc1f33e37bb219ecd19ccd0e64b993f6143
DanaBot
12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
DanaBot
7662ab9b318424d7a2351788c64a08788f5c7e12ca960b199d737fd883fe7d40
DanaBot
89ebfcdbf750745daa08da3e4c5c56db4f78a00b8c2e8ca06a1b19373ff84da2
DanaBot
a428c991e0a345db62de9fb32dbfd3e2755c9460a785ff69fbc1639cd5d2b020
DanaBot
a99d8d6dd7fb3c444c24f4c8ad2011d341d42a792d20ed306a39b7a2be017467
DanaBot
bae80042c1b61aa70ea8687213f90a6326de60f5999e5ecd8d4dd41c7361d16b
DanaBot
d2b1b74b9bfbb426d4d43ba2271de2bc48a1ed5f5bcf9ce8fa24312266b4dddf
DanaBot
dc3d8c3f1d1991dca9dd82a1943e519e4049ee0a34f89af6c961adbfcd1a6918
DanaBot
e65e644d9e4644fce4b66e7c85fb16c9be1533b73fd0bec78b6f048c6a21ad9b
DanaBot
+ 44 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:22 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210503-7626drplln/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
198.211.116.98:443
165.227.38.61:443
8.208.9.104:443
134.209.237.20:443
Unpacked files
SH256 hash:
f8dc669e0a42825fe31e470f6d79503fd50a339d6e574ba20999d38c8a1dd28a
MD5 hash:
d0e5b4f524167e8bff82f5ff01769131
SHA1 hash:
d4fb709a86de6345b3f4408bcb7e0d2ae0cc39f5
Link:
https://www.unpac.me/results/661a4810-2b31-433a-9079-ae28ec050958/
SH256 hash:
2972f79ad1b2f85084bc658b051f806ec8e00d59186ca46ac31d044d3fc69adb
MD5 hash:
0351a562193fb1e9f2de9f7a0820d26b
SHA1 hash:
86719613f7e6126cc446078f30941a76b304c20d
Link:
https://www.unpac.me/results/661a4810-2b31-433a-9079-ae28ec050958/
SH256 hash:
a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d
MD5 hash:
b75e734845e212357778571c255f90bb
SHA1 hash:
76228ef3173b003f0319cfc3a4e6ee9c51ace683
Link:
https://www.unpac.me/results/661a4810-2b31-433a-9079-ae28ec050958/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/a04af7fb3b5483d292093d1b67b6ed496d5643698121c04fedaa15e8078b748d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148289/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 09:18:22 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0007] Memory Micro-objective::Allocate Memory