MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab2c8662c8101b040f3b5e41eb3639b1be3ce9da6ac155f7a4b0fbe63bb3fde3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab2c8662c8101b040f3b5e41eb3639b1be3ce9da6ac155f7a4b0fbe63bb3fde3
SHA3-384 hash: b656760696d0ba05e2021934272c445158593589e8f48d1dffd61a6309c49876e3a19fe594dad2bfebaf4efa234c4b90
SHA1 hash: 2bfc01eb36f7e9863d093b190939afbd04c015e5
MD5 hash: 91b1dc3f70f739111bfa2b2e42ea30b5
humanhash: one-low-red-november
File name:91b1dc3f70f739111bfa2b2e42ea30b5.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'411'056 bytes
First seen:2021-10-08 18:04:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 196608:I0LYFdxMbctHWVJ6QXw2iwx5ytLF5OcF9EnXciUJ3Qef:I0axftHWVJ6Lwut6cYvAR
Threatray 6'114 similar samples on MalwareBazaar
TLSH T1B2563371F67058B3FE2E8B75846F38329AA2BCB066319176CD1BE9DB0770D82D524B11
File icon (PE):PE icon
dhash icon 0cfae274e0f0f430 (5 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
509
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
91b1dc3f70f739111bfa2b2e42ea30b5.exe
Verdict:
No threats detected
Analysis date:
2021-10-08 18:24:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8502b93-5921-42bf-a953-23d066a0d1ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196228/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61608819e3d213d202bc0213/reports/b826f055-97b4-4d0d-9995-c6fa0bb7ed31/overview
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867253
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499681 Sample: 2sHho7tQL6.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 54 Antivirus / Scanner detection for submitted sample 2->54 56 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->56 58 PE file contains section with special chars 2->58 60 2 other signatures 2->60 7 2sHho7tQL6.exe 25 2->7         started        10 IntelRapid.exe 2->10         started        13 IntelRapid.exe 2->13         started        process3 file4 30 C:\Users\user\AppData\Local\...\origanvp.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\kitsch.exe, PE32+ 7->32 dropped 34 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->34 dropped 36 3 other files (none is malicious) 7->36 dropped 15 origanvp.exe 3 18 7->15         started        19 kitsch.exe 4 7->19         started        72 Query firmware table information (likely to detect VMs) 10->72 74 Hides threads from debuggers 10->74 76 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->76 signatures5 process6 dnsIp7 40 ip-api.com 208.95.112.1, 49750, 80 TUT-ASUS United States 15->40 42 Antivirus detection for dropped file 15->42 44 Query firmware table information (likely to detect VMs) 15->44 46 May check the online IP address of the machine 15->46 52 2 other signatures 15->52 22 wscript.exe 12 15->22         started        28 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 19->28 dropped 48 Hides threads from debuggers 19->48 50 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->50 26 IntelRapid.exe 19->26         started        file8 signatures9 process10 dnsIp11 38 iplogger.org 88.99.66.31, 443, 49754 HETZNER-ASDE Germany 22->38 62 System process connects to network (likely due to code injection or exploit) 22->62 64 May check the online IP address of the machine 22->64 66 Query firmware table information (likely to detect VMs) 26->66 68 Hides threads from debuggers 26->68 70 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->70 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab2c8662c8101b040f3b5e41eb3639b1be3ce9da6ac155f7a4b0fbe63bb3fde3/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 18:04:17 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1
DanaBot
34d14ab08b41d288019d4966b337e5ee13d07cdb652dabf51834bac44c0052f8
DanaBot
5232589e3096a9f29234f1927955c884e544b6177d027658bac201a64a63ce25
DanaBot
81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
DanaBot
82986179159fb1244b89a23ab01b915fe1c24407712c156a087fe902572a4a8f
DanaBot
acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b
DanaBot
b1e542752d5c1a59c5efa28cd63de4235b394bdd700c3e3fb6daf71e10de7d72
DanaBot
d565f4380b4f2d25673f08df8e88d331e0daf7946a73c83e8d1630e2b347ddf9
DanaBot
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
DanaBot
+ 6'104 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211008-wnmneseham/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
142.11.242.31:443
192.119.110.73:443
192.210.222.88:443
Unpacked files
SH256 hash:
7d5befbfb3a73be49e6080b321b72f18175df247805986a246f11aead3d0c6a1
MD5 hash:
7c51c080eebfabe9c36501a39fd872b9
SHA1 hash:
3c28c45890f42c35620dfe16769578d9cb973a40
Link:
https://www.unpac.me/results/867c6450-c1f6-47d2-bdb9-753b5ce699ef/
SH256 hash:
ab2c8662c8101b040f3b5e41eb3639b1be3ce9da6ac155f7a4b0fbe63bb3fde3
MD5 hash:
91b1dc3f70f739111bfa2b2e42ea30b5
SHA1 hash:
2bfc01eb36f7e9863d093b190939afbd04c015e5
Link:
https://www.unpac.me/results/867c6450-c1f6-47d2-bdb9-753b5ce699ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab2c8662c8101b040f3b5e41eb3639b1be3ce9da6ac155f7a4b0fbe63bb3fde3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe ab2c8662c8101b040f3b5e41eb3639b1be3ce9da6ac155f7a4b0fbe63bb3fde3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1660821/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196228/

Comments