MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e
SHA3-384 hash: 401abe2e151598e851d534aa1f1d21fb54c828fff0f90285e74138951544169d809218c0354dce62041ef1bed6c848e3
SHA1 hash: 41ca784d1848feb23abb908d8e0956b4388a3ea8
MD5 hash: 63d15d5090f05f893dddb0cfed1ffeb7
humanhash: network-winter-steak-floor
File name:63d15d5090f05f893dddb0cfed1ffeb7.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'344'025 bytes
First seen:2021-06-04 07:23:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:Zkzs1Z2P059LJoXnDMhT+OV0NwetPCWvtbI1v58r9HdWbHcjlleRnRXZM:B1Z2PqlmXDM9aW9h8J0LcjzeVRXZM
Threatray 171 similar samples on MalwareBazaar
TLSH 095523421F69C97BF6970F725C35A6836125BC1A613DC3EF5204EE4EF8B19034E09B6A
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
526
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
63d15d5090f05f893dddb0cfed1ffeb7.exe
Verdict:
No threats detected
Analysis date:
2021-06-04 07:31:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd4a7734-66e4-4631-a870-22fa60c04db6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164565/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Sending a UDP request
Creating a file in the %AppData% subdirectories
DNS request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797150
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 429549 Sample: nFxf7gz8gh.exe Startdate: 04/06/2021 Architecture: WINDOWS Score: 100 54 ip-api.com 2->54 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 7 other signatures 2->68 11 nFxf7gz8gh.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->50 dropped 52 3 other files (none is malicious) 11->52 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process6 dnsIp7 24 cmd.exe 1 18->24         started        56 192.168.2.1 unknown unknown 20->56 44 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->44 dropped 27 SmartClock.exe 20->27         started        file8 process9 signatures10 70 Submitted sample is a known malware sample 24->70 72 Obfuscated command line found 24->72 74 Uses ping.exe to sleep 24->74 76 Uses ping.exe to check the status of other devices and networks 24->76 29 cmd.exe 3 24->29         started        32 conhost.exe 24->32         started        process11 signatures12 78 Obfuscated command line found 29->78 80 Uses ping.exe to sleep 29->80 34 Chiude.exe.com 29->34         started        36 PING.EXE 1 29->36         started        39 findstr.exe 1 29->39         started        process13 dnsIp14 41 Chiude.exe.com 34->41         started        58 127.0.0.1 unknown unknown 36->58 process15 dnsIp16 60 vEOxpiOBJa.vEOxpiOBJa 41->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 20:36:09 UTC
AV detection:
19 of 47 (40.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1298b62fc3c9668e95a2d8af5f3c227afa87083c3e614d48d01d01509316c3ec
DanaBot
1bf9a15445a908fdcd7d4a5a0584678a1efb086d1eccbf0ae60393f6be208919
DanaBot
6f6a28c56adaaf83617deac4c89e060074b14697872ffcbce53c72cd5cf5a3b5
DanaBot
7e41bf3313b1f633bebccfcbc0440b35d84b154eb4d1462385aaa82e0093de73
DanaBot
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
DanaBot
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
DanaBot
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
DanaBot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
DanaBot
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
DanaBot
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
DanaBot
+ 161 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210604-1p3xjg8fks/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Malware Config
C2 Extraction:
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Unpacked files
SH256 hash:
f110026b21045cbeea95fec9efbf3ef90605584d3e05beafc01b821dab38a6d1
MD5 hash:
df51db963223abe9207ecea766d3baff
SHA1 hash:
d50145135b252f017480840669e86c01638fb35e
Link:
https://www.unpac.me/results/bb417097-1ddc-4dc3-a341-b0985f7069b1/
SH256 hash:
ff1c808ad9aa2a39546666d15d1142c4f1a7dc3085a6ee2ec4d62ee4f6181ac3
MD5 hash:
952fcc3d10fd7b9352d18b86a982c851
SHA1 hash:
733437c049c7575670bf5d0a399d71ddea9ccdf8
Link:
https://www.unpac.me/results/bb417097-1ddc-4dc3-a341-b0985f7069b1/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/bb417097-1ddc-4dc3-a341-b0985f7069b1/
SH256 hash:
ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e
MD5 hash:
63d15d5090f05f893dddb0cfed1ffeb7
SHA1 hash:
41ca784d1848feb23abb908d8e0956b4388a3ea8
Link:
https://www.unpac.me/results/bb417097-1ddc-4dc3-a341-b0985f7069b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1320970/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164565/

Comments