MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8fb946c9c0070123295b9286000b04d724a064af163a194af2022571ec641dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8fb946c9c0070123295b9286000b04d724a064af163a194af2022571ec641dc
SHA3-384 hash: 9b77a37e35bc06575fdf0c30d400f837d737b83565cf9ebc3682317d56ea21d3752bae732165cbbf44cf2eab509e6782
SHA1 hash: ab0edd869a0b97b2c918636a87a54ecf7d2d9191
MD5 hash: fc55d8c111277e3f7647f23a3bd97306
humanhash: golf-papa-stairway-salami
File name:fc55d8c111277e3f7647f23a3bd97306.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'893'376 bytes
First seen:2021-12-03 10:12:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 286fc3216fe488392429cb2b1f6c8c4a (1 x RedLineStealer, 1 x DanaBot)
ssdeep 49152:L4iF78nfu2aKijq4939x+XS6dYOzCQJ++:T8nVJSx+XVdY6+
Threatray 7'912 similar samples on MalwareBazaar
TLSH T1C695231133B0C039F1F722FC4A7CA269992E7D61A734A8DF22D51AED96246D5EC32347
File icon (PE):PE icon
dhash icon e0e8e8e8aa62a489 (7 x RedLineStealer, 1 x Glupteba, 1 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc55d8c111277e3f7647f23a3bd97306.exe
Verdict:
Malicious activity
Analysis date:
2021-12-03 10:23:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b13a7630-f19c-4579-894e-b1a0aec1b01e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210998/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/645/overview
Behaviour
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61a9edb047ed217c012fbe97/reports/1d02fd9d-7347-4854-858b-8e29523e8ac6/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a45e2622-987b-461a-b4a5-b75aa7e93492
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/900769
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8fb946c9c0070123295b9286000b04d724a064af163a194af2022571ec641dc/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 01:37:08 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vd5zi3e4abybemuvxeugaafqjvzeubsk6fr2dffpearfohwgihoa._file
Verdict:
malicious
Similar samples:
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
DanaBot
1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666
DanaBot
2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e
DanaBot
2e3b767101904dd4352ece4ac162a9253edc02609db93ef70801e3a6fe1268f4
DanaBot
2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac
DanaBot
596e82d24c64a373095159ee769df582d6f34fde24eb537aca442d8f01c491db
DanaBot
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
DanaBot
721bf1dd5787108ecf31dd3bbab5e355ca55bdc68eb2358ce891290a7ce2048c
DanaBot
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
DanaBot
8f983b92dea0643ef2b8411e5506def0c0235b1addd4daa9d13e59ff4f88a1ef
DanaBot
+ 7'902 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211203-l83v2abag6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
23e88d9423a3078434e92eb9fe03eb568044d114fa3fea0574419f523d12bf01
MD5 hash:
be15699417b757c5bfdbeca8056a166d
SHA1 hash:
cc8ff240fddbcf26a2e6597ed4f9b6542af3d24b
Link:
https://www.unpac.me/results/2e6ab0f0-c3a2-4554-a27e-ecc6537f95b9/
SH256 hash:
1c6b6d06c842c6f8a9c802aa6bfdd03a5b254a4e30625ce1fcf732ed7e2dc9e1
MD5 hash:
a0e74dce370a45e445a0b27f24b85eac
SHA1 hash:
eacb1475d4a4f2a402c8798bdf32176924b6cfaf
Link:
https://www.unpac.me/results/2e6ab0f0-c3a2-4554-a27e-ecc6537f95b9/
SH256 hash:
a8fb946c9c0070123295b9286000b04d724a064af163a194af2022571ec641dc
MD5 hash:
fc55d8c111277e3f7647f23a3bd97306
SHA1 hash:
ab0edd869a0b97b2c918636a87a54ecf7d2d9191
Link:
https://www.unpac.me/results/2e6ab0f0-c3a2-4554-a27e-ecc6537f95b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8fb946c9c0070123295b9286000b04d724a064af163a194af2022571ec641dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe a8fb946c9c0070123295b9286000b04d724a064af163a194af2022571ec641dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1772785/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1829756/
Cape
Cape
https://www.capesandbox.com/analysis/210998/

Comments