MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a664d80c5b8a2203288086ed56c42f443622e787beae17677b1504ab524a2795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a664d80c5b8a2203288086ed56c42f443622e787beae17677b1504ab524a2795
SHA3-384 hash: cdf8a97ab0fd3f7bcdbc310220ca1f16f2c25d89bc3128bc0793cb7cb4946bd99af264aecb344508e89d6688669fceef
SHA1 hash: f082f6bdf46aaa38acda4e0d2c9d8ef3eefdfc21
MD5 hash: f110abd60913df4bec2335a5c69b3bba
humanhash: undress-edward-berlin-johnny
File name:f110abd60913df4bec2335a5c69b3bba.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'124'352 bytes
First seen:2022-03-07 14:55:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c15f3c458b225c7e3f33ff6b2cd61332 (2 x DanaBot)
ssdeep 24576:hO7DHUVYddMlf3vhgBLPy5tWftoaAMVfM7vEn6jScNPemK:h/VYdKlPJqy5tWVoa4vE6jlIF
TLSH T1F8351201AB90D039F0F716F85A75836DA63E7EA1AB3494CB62D92ADD13355E4EC3130B
File icon (PE):PE icon
dhash icon 2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter abuse_ch
Tags:DanaBot exe


Avatar
abuse_ch
DanaBot C2:
23.254.201.147:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.254.201.147:443 https://threatfox.abuse.ch/ioc/392763/

Intelligence

File Origin
# of uploads :
1
# of downloads :
574
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247943/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8493/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f3bf27f-9087-4084-a082-6701b6fdf0d5
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/951885
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a664d80c5b8a2203288086ed56c42f443622e787beae17677b1504ab524a2795/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-03-07 14:56:14 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzsnqdc3riragkeaq3wvnrbpiq3cfz4hx2xboz33cuckwuske6kq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220307-sa1rcaacbl/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Blocklisted process makes network request
suricata: ET MALWARE Danabot Key Exchange Request
Unpacked files
SH256 hash:
c65c56bd0a7be20f796726a0063475cdca1e35fd6535b7c7165da41ac9674eae
MD5 hash:
65c9d5d82f97019fe56250234b726ef0
SHA1 hash:
0d07b79ad82bfba1349e3bd4e140c1beb53a6a48
Link:
https://www.unpac.me/results/d1f6821c-a1c1-469f-807f-b87d3c4b5e12/
SH256 hash:
a664d80c5b8a2203288086ed56c42f443622e787beae17677b1504ab524a2795
MD5 hash:
f110abd60913df4bec2335a5c69b3bba
SHA1 hash:
f082f6bdf46aaa38acda4e0d2c9d8ef3eefdfc21
Link:
https://www.unpac.me/results/d1f6821c-a1c1-469f-807f-b87d3c4b5e12/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a664d80c5b8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a664d80c5b8a2203288086ed56c42f443622e787beae17677b1504ab524a2795

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe a664d80c5b8a2203288086ed56c42f443622e787beae17677b1504ab524a2795

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2078748/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/247943/

Comments