MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a229aee8edf8ebb3b5e3e418879641216f49d6e00f8358a0debd4c00ddf825e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	a229aee8edf8ebb3b5e3e418879641216f49d6e00f8358a0debd4c00ddf825e9
SHA3-384 hash:	b5e65e2a18c09227ff6cd32034c92847d8d10f6f4cd04a8ed701e57cfbacead1a39e80f0c5c1d6db948706965dd88e2f
SHA1 hash:	1091b1b2754d16c610f7d8363dee3b9eac69f7d8
MD5 hash:	2372042f8edf982e3137dfc5f7030c7c
humanhash:	magnesium-tennessee-indigo-single
File name:	a229aee8edf8ebb3b5e3e418879641216f49d6e00f835.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'165'312 bytes
First seen:	2022-03-05 17:05:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	da969c9b2899100752633683fc4632cf (2 x DanaBot, 1 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep	24576:7zmFiIdQu2KixxUB0OWTRdR2fcGgenyOukd4z8AI:7zw/DCdTRdR2fcRp7kd4f
TLSH	T1BD451201A760C035F5B351F8997A836DA52F3EE0A76460CB93DA1AFA17756E1EC3034B
File icon (PE):
dhash icon	25ec1378399b9b91 (23 x RedLineStealer, 13 x Smoke Loader, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

abuse_ch

DanaBot C2:
45.147.231.150:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.147.231.150:443	https://threatfox.abuse.ch/ioc/392550/

Intelligence

File Origin

# of uploads :

# of downloads :

511

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/247539/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Launching a process

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Сreating synchronization primitives

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8289/overview

Behaviour

MalwareBazaar

CPUID_Instruction

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dca9a40c-9fe4-4bec-9b7f-ea54df08a2f6

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/951205

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a229aee8edf8ebb3b5e3e418879641216f49d6e00f8358a0debd4c00ddf825e9/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-03-05 17:06:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uiu252hn7dv3hnpd4qmipfsbefxutvxab6bvrig6xvgabxpyexuq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/220305-vmd48aadel/

Behaviour

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Blocklisted process makes network request

suricata: ET MALWARE Danabot Key Exchange Request

Unpacked files

SH256 hash:

774d7b1f9d2288f6d95d92b77aeb342d7305b84d0b0f46e4946abdc8b4ebcddb

MD5 hash:

c3a60dbcf538a8b587a0360fa4c0fc19

SHA1 hash:

ee101addab983d93b15b28616891a98cdc66e512

Link:

https://www.unpac.me/results/6f77323e-858e-419f-8cb7-ff3a447ec50f/

SH256 hash:

a229aee8edf8ebb3b5e3e418879641216f49d6e00f8358a0debd4c00ddf825e9

MD5 hash:

2372042f8edf982e3137dfc5f7030c7c

SHA1 hash:

1091b1b2754d16c610f7d8363dee3b9eac69f7d8

Link:

https://www.unpac.me/results/6f77323e-858e-419f-8cb7-ff3a447ec50f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a229aee8edf8ebb3b5e3e418879641216f49d6e00f8358a0debd4c00ddf825e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/247539/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample