MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adc58d4f64455555adea14cb604a69387700cba52e238e989f61eecfbdb6156c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adc58d4f64455555adea14cb604a69387700cba52e238e989f61eecfbdb6156c
SHA3-384 hash: 342ccc08ce8a2ccb81e1974152c8023eeedb908c3d3c3fa50a555d659225ce16f36bf3adbeb72c60ac9c5471392ebb1f
SHA1 hash: 17792f1dbb6dff2e187f4c98edd987d9dd42ec2c
MD5 hash: 2cf089be6e99e888313df81b8f60e102
humanhash: minnesota-twenty-alanine-pasta
File name:2cf089be6e99e888313df81b8f60e102
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'184'256 bytes
First seen:2021-08-19 16:02:46 UTC
Last seen:2021-08-19 16:57:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c373d93df8b60680e045175a45030767 (7 x Amadey, 2 x Glupteba, 2 x DanaBot)
ssdeep 24576:1pCMWN57mmQbWq6rAoc0P4MOPzhgzjWdusosV6/y+vKijq6:1pAAB680QbPKPWdusotKV
Threatray 4'205 similar samples on MalwareBazaar
TLSH T112451220B5A0C035E46613F49A7D93BC6B287DB15B6150EF72E637EE26342E09D3126F
dhash icon ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2cf089be6e99e888313df81b8f60e102
Verdict:
Malicious activity
Analysis date:
2021-08-19 16:05:12 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/408bcdd4-303a-46a6-9d98-5b484b608d56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180744/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.9695.5356.17300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b06cadd-9463-4554-9d5e-e0c5f24c682f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835921
Signature
Bypasses PowerShell execution policy
Detected unpacking (changes PE section rights)
Enables a proxy for the internet explorer
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sets a proxy for the internet explorer
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468351 Sample: Pg0f4wnEO2 Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 35 localhost 2->35 37 8.8.8.8.in-addr.arpa 2->37 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Machine Learning detection for sample 2->49 51 Sigma detected: Suspicious Script Execution From Temp Folder 2->51 10 Pg0f4wnEO2.exe 1 2->10         started        signatures3 process4 file5 33 C:\Users\user\Desktop\PG0F4W~1.EXE.tmp, PE32 10->33 dropped 61 Detected unpacking (changes PE section rights) 10->61 14 rundll32.exe 2 10->14         started        signatures6 process7 dnsIp8 43 23.229.29.48, 443, 49725, 49728 SERVER-MANIACA Canada 14->43 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->63 65 Bypasses PowerShell execution policy 14->65 18 rundll32.exe 10 22 14->18         started        signatures9 process10 dnsIp11 39 127.0.0.1 unknown unknown 18->39 41 192.168.2.1 unknown unknown 18->41 31 C:\Users\user\AppData\...\tmp1244.tmp.ps1, ASCII 18->31 dropped 53 System process connects to network (likely due to code injection or exploit) 18->53 55 Tries to harvest and steal browser information (history, passwords, etc) 18->55 57 Sets a proxy for the internet explorer 18->57 59 Enables a proxy for the internet explorer 18->59 23 powershell.exe 17 18->23         started        25 powershell.exe 13 18->25         started        file12 signatures13 process14 process15 27 conhost.exe 23->27         started        29 conhost.exe 25->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adc58d4f64455555adea14cb604a69387700cba52e238e989f61eecfbdb6156c/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 16:03:07 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxcy2t3eivkvllpkctfwastjhb3qbs5ffyry5ge7mhxm7pnwcvwa._file
Verdict:
malicious
Similar samples:
053542bbd9ab3b0436469e6d6ae5ff0b72e55f882a08e23d8ab481e1357d9528
DanaBot
4773c2edf97089e1ea3108cb675777b870020f5e3082dec8a89a3bc5a2297c1c
DanaBot
58dd074be5e51ca44f0c67ed712b3bb7a1afe1723adccdf3491636fef7cf1a2d
DanaBot
967e08d85b9639892fd4bf4ab2d3e6fc7dcd4afe22326e4114df182c8b0a9b5e
DanaBot
ac783ad55fbc3133892c6df4490d701b9493020971c95dae47983721115d6842
DanaBot
bdd0c7cbefda7e06ae77b73b86f97ce92ec35be89de53681f6aa9c8b6f1467d0
DanaBot
c252d146aa7c269b0db0a7c05f094da93234e6ace6ad52bd33860edd4127b6eb
DanaBot
caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4
DanaBot
e83e6702c3b59f275981161db3eabdb589051a4d36ad2d74c34a8fc45cb31a30
DanaBot
f5fe7311025d620bccb08dcfb69f03c71620351b35ea8635b798ffc62374423a
DanaBot
+ 4'195 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210819-p889xa5l2e/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.229.29.48:443
152.89.247.31:443
192.210.222.81:443
Unpacked files
SH256 hash:
ffd8fdaa548d951f98e0c2596f8e12a001db137142ece3c4f05bda056c0bc85d
MD5 hash:
3fc84ffac4d5247b70ea4f497d55f5d9
SHA1 hash:
24d7aacab45d49c007b5bd9c369445fbcd80ebec
Link:
https://www.unpac.me/results/846654e0-269d-45ef-89c3-dec09b2f8c39/
SH256 hash:
0edafdc1bc00f52ea45a738feed7dcee946bb8d19d5ca0737922fae45959913b
MD5 hash:
a8bb82058da2d86fbeedd5b0594adba7
SHA1 hash:
4f49222e5a5439a181cca42cc14bb3a8588905e1
Link:
https://www.unpac.me/results/846654e0-269d-45ef-89c3-dec09b2f8c39/
SH256 hash:
adc58d4f64455555adea14cb604a69387700cba52e238e989f61eecfbdb6156c
MD5 hash:
2cf089be6e99e888313df81b8f60e102
SHA1 hash:
17792f1dbb6dff2e187f4c98edd987d9dd42ec2c
Link:
https://www.unpac.me/results/846654e0-269d-45ef-89c3-dec09b2f8c39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/adc58d4f64455555adea14cb604a69387700cba52e238e989f61eecfbdb6156c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe adc58d4f64455555adea14cb604a69387700cba52e238e989f61eecfbdb6156c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1495647/
  
URLhaus
https://urlhaus.abuse.ch/url/1490082/
Cape
Cape
https://www.capesandbox.com/analysis/180744/

Comments


Avatar
zbet commented on 2021-08-19 16:02:46 UTC

url : hxxp://104.144.69.50/ksvchost.exe