MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a88222d690c442a6d8af50b2ddf20b770611b0a41be4585b5e9f562a5542953b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	a88222d690c442a6d8af50b2ddf20b770611b0a41be4585b5e9f562a5542953b
SHA3-384 hash:	f34124ee8ea35b3640d24f58cb9fe12da07a508b12eaaecc10427eb074499ee3070cedeecc2bddb5965d4dafe610e80f
SHA1 hash:	a95eabdda268bc3e59a60c6b62f2d9759543ba0e
MD5 hash:	43bd9c07d8cbb790982087b309f45a76
humanhash:	jupiter-single-zulu-alpha
File name:	43bd9c07d8cbb790982087b309f45a76.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'233'408 bytes
First seen:	2021-10-13 17:59:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e9d1f1739ab48fbfe7c7128688524302 (3 x RaccoonStealer, 2 x Smoke Loader, 2 x DanaBot)
ssdeep	24576:E3ye1rzR1OwYV+WOb1ts8wvmdPghJ2G3wXIK:6PFWOBts8wvmBu2G3w
Threatray	6'612 similar samples on MalwareBazaar
TLSH	T1F0451214A7A1C039F5F316F84AB9926CB93E79F1AB1840CB23D856EE57256E0EC30357
File icon (PE):
dhash icon	ead8ac9cc6a68ee0 (93 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

402

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

43bd9c07d8cbb790982087b309f45a76.exe

Verdict:

Malicious activity

Analysis date:

2021-10-13 19:32:15 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/f2983ead-29d9-47af-9c8f-e9eb9ecc40bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/197351/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.3908.20472.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61671e6c9fb4d8593d63e2a3/reports/101c27fc-50c0-4b24-b557-6b1eab8ebba8/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4fbcb1bb-71b4-4e6d-944a-9c1d835123a9

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/869908

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a88222d690c442a6d8af50b2ddf20b770611b0a41be4585b5e9f562a5542953b/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2021-10-13 18:03:34 UTC

AV detection:

15 of 39 (38.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vcbcfvuqyrbknwfpkczn34qlo4dbdmfedpsfqw26t5lcuvkcsu5q._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery trojan

Link:

https://tria.ge/reports/211013-wkp95sehf7/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

192.119.110.73:443
192.236.147.159:443
192.210.222.88:443

Unpacked files

SH256 hash:

9d7bd3354328dc5fac53a9ef61d2f7c686e5f44d4ab5715270429171e796fe4f

MD5 hash:

4e3e9931fed14e06e2d4ae6303d8cff8

SHA1 hash:

cab08f17115890c4515849e52a4b1956d24d1502

Link:

https://www.unpac.me/results/69a16ec3-e953-4696-a363-c362903ac2c1/

SH256 hash:

a88222d690c442a6d8af50b2ddf20b770611b0a41be4585b5e9f562a5542953b

MD5 hash:

43bd9c07d8cbb790982087b309f45a76

SHA1 hash:

a95eabdda268bc3e59a60c6b62f2d9759543ba0e

Link:

https://www.unpac.me/results/69a16ec3-e953-4696-a363-c362903ac2c1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a88222d690c442a6d8af50b2ddf20b770611b0a41be4585b5e9f562a5542953b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe a88222d690c442a6d8af50b2ddf20b770611b0a41be4585b5e9f562a5542953b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1660814/

Cape

https://www.capesandbox.com/analysis/197351/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample