MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1348f40de8bd662e546465d653e94855ac5ae33cb3ce4d36ba6a0e3d842db73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1348f40de8bd662e546465d653e94855ac5ae33cb3ce4d36ba6a0e3d842db73
SHA3-384 hash: ec28db12a92b79252a5c0155c54e26cd8cf15abd4c20880b9f0b0bf7d0e548f0508db3eb329d6bbf2f33de143850ad03
SHA1 hash: 2a34a211dd783bc85dccf911aad3e377a417db49
MD5 hash: 850e380d40bd649647c116ac383f4cb1
humanhash: robin-west-seven-romeo
File name:850e380d40bd649647c116ac383f4cb1.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'098'240 bytes
First seen:2021-09-23 12:54:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e7d6aacdbba2eaeadcddfcf1af169f5c (2 x DanaBot, 1 x CryptBot, 1 x Loki)
ssdeep 24576:cT3N5Dkq9DPCxXaJ25YddtpfT6rdbSDmvLAZsw7OV/UI5:+ek2wtpfWrdbMmvEZ9OVsc
Threatray 3 similar samples on MalwareBazaar
TLSH T1CC352222F9E0F83EE6F79C7060B083D15A2BB4756EB5414F2A9D15783F6D6C0462932B
File icon (PE):PE icon
dhash icon 1072c293b0381906 (17 x RedLineStealer, 5 x Stop, 4 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
850e380d40bd649647c116ac383f4cb1.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 12:58:25 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/5efceb6e-6f86-4cb8-88bd-88a7df788701

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190757/
Detection(s):
SecuriteInfo.com.Ransom.Stop.P5.20697.28138.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6670f66a-fc43-4aab-b41f-4099b68e9539
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/856718
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1348f40de8bd662e546465d653e94855ac5ae33cb3ce4d36ba6a0e3d842db73/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 12:55:11 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4
DanaBot
60787d8474b04b246ce69957c1d0e4f31b80e93f699eeec2ae3a707a8e933453
DanaBot
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210923-p5tpqsecfn/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
23.254.144.209:443
192.236.194.86:443
142.11.192.232:443
Unpacked files
SH256 hash:
f4a37cfce8a0d15a923d916423abe5e75117fd89e57e23a1249ed605f0e68e26
MD5 hash:
1126ec991f8c2435fae51200c5bcb9e2
SHA1 hash:
1e04005dbad5be78ed239d45dee8bfcbbecc279f
Link:
https://www.unpac.me/results/57bc1582-7ddc-460b-95f2-f3a7f473ac03/
SH256 hash:
06d913239d4147ebe928fabe51609eb3c2ff48d4bf6a11f8b68401d1b39c8e6a
MD5 hash:
bb14869bf6ea90e1b34f5e0f162188eb
SHA1 hash:
eeafe2c862efb9abc8b9504cba7e64e222f8284f
Link:
https://www.unpac.me/results/57bc1582-7ddc-460b-95f2-f3a7f473ac03/
SH256 hash:
a1348f40de8bd662e546465d653e94855ac5ae33cb3ce4d36ba6a0e3d842db73
MD5 hash:
850e380d40bd649647c116ac383f4cb1
SHA1 hash:
2a34a211dd783bc85dccf911aad3e377a417db49
Link:
https://www.unpac.me/results/57bc1582-7ddc-460b-95f2-f3a7f473ac03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1348f40de8bd662e546465d653e94855ac5ae33cb3ce4d36ba6a0e3d842db73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe a1348f40de8bd662e546465d653e94855ac5ae33cb3ce4d36ba6a0e3d842db73

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/190757/
  
URLhaus
https://urlhaus.abuse.ch/url/1640832/
  
Delivery method
Distributed via web download

Comments