MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abbbebf84a817bd400191d0f4f41bffcf85941d143849d43babfe45f1091ccc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments 1

SHA256 hash:	abbbebf84a817bd400191d0f4f41bffcf85941d143849d43babfe45f1091ccc4
SHA3-384 hash:	45662064f741f3cc57c59e814296b33d020ffb70bf8dd7ae1ae34eab260596fbf84ef88a86f1b4f7890923c1a2504964
SHA1 hash:	b0b6c2b056ea5742d8ff2dd3d40f976e112d73f2
MD5 hash:	a28b4d44c63583f0f9f4fdf8da5615d7
humanhash:	island-fish-cola-earth
File name:	a28b4d44c63583f0f9f4fdf8da5615d7
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'138'688 bytes
First seen:	2021-07-23 19:06:18 UTC
Last seen:	2021-07-23 20:00:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d09a478840961ad890ac4dc4d59be69d (10 x Smoke Loader, 4 x RaccoonStealer, 2 x RedLineStealer)
ssdeep	24576:7kZf8n/aM8cwM37+aDYDmYLATKjlMuL3ZIIL/TBPA:73kcJ3KfSYLrjLSInBI
Threatray	2'898 similar samples on MalwareBazaar
TLSH	T1B5352355F670C5B3C0B408B885E292A8323DB5517B91DE437A573FBF2E302E066A625F
dhash icon	48b9b2b4e8c18c90 (8 x RaccoonStealer, 3 x DanaBot, 1 x CryptBot)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a28b4d44c63583f0f9f4fdf8da5615d7

Verdict:

Malicious activity

Analysis date:

2021-07-23 19:12:03 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/115475f3-8412-4ece-bd0f-fa4c342fd369

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/173771/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.8656.304.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e5bf0e6-77e8-437b-8e5a-fa5655594154

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821021

Signature

Bypasses PowerShell execution policy

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Enables a proxy for the internet explorer

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sets a proxy for the internet explorer

Sigma detected: Suspicious Script Execution From Temp Folder

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/abbbebf84a817bd400191d0f4f41bffcf85941d143849d43babfe45f1091ccc4/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-07-23 19:07:08 UTC

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vo56x6ckqf55iaazduhu6qn77t4fsqoriocj2q52x7sf6eerztca._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery spyware stealer trojan

Link:

https://tria.ge/reports/210723-whnsg6ywv6/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Malware Config

C2 Extraction:

142.11.244.124:443
142.11.206.50:443

Unpacked files

SH256 hash:

d7fbb290d9f24ae5f547fe60268e636f205367104aed7fe7b9563f3996ced443

MD5 hash:

02e6a2ff71d8467f7d4113a20a66a039

SHA1 hash:

80c16bbcc268ee67bc149d2fd8c270eda9c1ecda

Link:

https://www.unpac.me/results/f32e175f-4049-40c2-b347-a3cbbc0a9cb3/

SH256 hash:

873a64d657ca7240f671880a474a9ccd8f50c1b7ca8cd581593a7ce18bd72dcd

MD5 hash:

e5153d69aa71b4fa02c54cd9a084ffab

SHA1 hash:

d1d36aa4fdc812c7c75c356bac119f4c462acaf5

Link:

https://www.unpac.me/results/f32e175f-4049-40c2-b347-a3cbbc0a9cb3/

SH256 hash:

abbbebf84a817bd400191d0f4f41bffcf85941d143849d43babfe45f1091ccc4

MD5 hash:

a28b4d44c63583f0f9f4fdf8da5615d7

SHA1 hash:

b0b6c2b056ea5742d8ff2dd3d40f976e112d73f2

Link:

https://www.unpac.me/results/f32e175f-4049-40c2-b347-a3cbbc0a9cb3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/abbbebf84a817bd400191d0f4f41bffcf85941d143849d43babfe45f1091ccc4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe abbbebf84a817bd400191d0f4f41bffcf85941d143849d43babfe45f1091ccc4

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1461110/

URLhaus

https://urlhaus.abuse.ch/url/1467030/

Cape

https://www.capesandbox.com/analysis/173771/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-07-23 19:06:19 UTC

url : hxxp://23.229.29.42/cvhost.exe