MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
SHA3-384 hash: b01e182ded1579626de40e9a43fe230de75e8a0ac5be0fc9e18e6e53aff517b585c855d2817e77312b0db59806667a93
SHA1 hash: aed9e3309557e3879c6f19672a50b68fefe42944
MD5 hash: 2540d86500ff77fec9c2c313b5398c5b
humanhash: sweet-mexico-twelve-ohio
File name:2540d86500ff77fec9c2c313b5398c5b
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'208'320 bytes
First seen:2021-10-15 09:32:27 UTC
Last seen:2021-10-15 11:18:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e2cb00668936ef8a66a623b516f5f70 (2 x RedLineStealer, 1 x DanaBot)
ssdeep 24576:GHwyO/SrsQq731wku7XhPAjj9/wywokm9KOiWQJILi9l:ARbCPuLhIjR/wQkm9KOvQ5
Threatray 6'616 similar samples on MalwareBazaar
TLSH T15F45121077A1C034F1F727F84AB692A4B52E7AE1A72864CF23D825EA17396D5EC30717
File icon (PE):PE icon
dhash icon ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
418
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2540d86500ff77fec9c2c313b5398c5b
Verdict:
Malicious activity
Analysis date:
2021-10-15 09:37:24 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/9b611f46-f9b3-4960-bb1a-463712491d40

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197730/
Detection(s):
SecuriteInfo.com.Packed-GDT2540D86500FF.29783.3769.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61694ad2fd35fe780c42ad9c/reports/58b1a841-bb6c-4d42-913a-a806516cd9bf/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37bd9a6f-72ca-456d-8668-5bb9f6c0d77f
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/871061
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-15 09:05:56 UTC
AV detection:
21 of 44 (47.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvbxy7ixchm66qeidnbj4ozqrrpd224u3ik2ugza6xde5s7etbea._file
Verdict:
malicious
Similar samples:
0345531c814ad62c6c2c73de6fc6e540974fa5ddba3dcbeaa9a7850ad7929a76
DanaBot
18ae9ea1c1d71b33777c8772248580f17a2bcecf1aa0e8f71ec15d4b33d5253b
DanaBot
233df04bc2ee124e7af1399d77450d7db5985ce99defde5ce0604d592bfffc77
DanaBot
4e19a6c2fb2fd245e5c2097ff4d91aa86c4f49aaa4fbdab4cae046e3e02d0e52
DanaBot
7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1
DanaBot
7fb665b5e4c461aadd9c5ce25f71ca332b634e1d2ab308e811bdbfdec74728a9
DanaBot
8d2fc9db7c9f5dcf80faef24bf99af1a4553007d810981fef4026f3fce02a945
DanaBot
a9cce75c8c8200005f0d039312f4767926e1b3cc8aa1ced7cffbda3dbefb24c7
DanaBot
aa45891e05a5365976defde1926bcf667f207b61af7cc455a1b7e1bd5fabba05
DanaBot
f8f1569945e8adb87cb91509db4129d64a878863a347dbea1b21b70e1a21f973
DanaBot
+ 6'606 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/211015-lh7fjabecl/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
Unpacked files
SH256 hash:
8edfdf9bf82f09d04ce95bdbe12b7b3a3f4265cdaa8d02aafc2e43629ee8616c
MD5 hash:
09325d040971393d04a8a85cd8b0f246
SHA1 hash:
329d4a79660c6a298c02061f466d99e3787d2aeb
Link:
https://www.unpac.me/results/19a4f9e9-cabc-4f9e-882a-ee623118db78/
SH256 hash:
e2a7a59571eb024ce8bec5ff2f274ba27165cd651f028bd21c6e56fbc24b2f03
MD5 hash:
f11682b40fe7be60883019f812e66f9a
SHA1 hash:
96f2299bab1f70f73aa49b3ec0dc21bd246c7efb
Link:
https://www.unpac.me/results/19a4f9e9-cabc-4f9e-882a-ee623118db78/
SH256 hash:
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
MD5 hash:
2540d86500ff77fec9c2c313b5398c5b
SHA1 hash:
aed9e3309557e3879c6f19672a50b68fefe42944
Link:
https://www.unpac.me/results/19a4f9e9-cabc-4f9e-882a-ee623118db78/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a5437c7d1711/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1679912/
  
URLhaus
https://urlhaus.abuse.ch/url/1660814/
Cape
Cape
https://www.capesandbox.com/analysis/197730/

Comments


Avatar
zbet commented on 2021-10-15 09:32:28 UTC

url : hxxp://23.19.58.239/smhosts.exe