MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae2e9d6d5487e2ff62e528faf8f1ef5a13478eb76da536b2ed737b6a4967f876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	ae2e9d6d5487e2ff62e528faf8f1ef5a13478eb76da536b2ed737b6a4967f876
SHA3-384 hash:	03ecf3650a63735bf6d2aacf8fa8dd6560abca8a0902e287a5ad57f43dd666e46910d4ab07c77d48fd4f019d6cee0fc4
SHA1 hash:	838bee45bf9af4a22a6a26c88ee325305bc81df3
MD5 hash:	2e7b3a82f4875e08c62381ed612f5915
humanhash:	sad-utah-carolina-dakota
File name:	2e7b3a82f4875e08c62381ed612f5915.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'124'864 bytes
First seen:	2022-03-07 07:35:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e3a468e33131e43ff6cb0ed3ba60251f (2 x DanaBot, 2 x Stop, 1 x Gozi)
ssdeep	24576:ol2f/drFFywMOlDpoavrq8ysHhaoMbnFsx8L8gUh:QC/Mstb2IaNGxD
TLSH	T1AD351214AB90D035F0B316F8567AC36DA52E7FA0632850CB62D52BDE87396E0ED31747
File icon (PE):
dhash icon	25ec137839939b91 (7 x RedLineStealer, 4 x Smoke Loader, 3 x RaccoonStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

abuse_ch

DanaBot C2:
23.254.201.147:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
23.254.201.147:443	https://threatfox.abuse.ch/ioc/392763/

Intelligence

File Origin

# of uploads :

# of downloads :

560

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/247762/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Launching a process

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Сreating synchronization primitives

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8434/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ca5eb06-75e0-467f-af29-fcab44dd6bba

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/951586

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae2e9d6d5487e2ff62e528faf8f1ef5a13478eb76da536b2ed737b6a4967f876/

Threat name:

Win32.Trojan.DanaBot

Status:

Malicious

First seen:

2022-03-07 07:36:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vyxj23kuq7rp6yxffd5pr4pplijupdvxnwstnmxnon5wuslh7b3a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220307-je9qdaaea6/

Behaviour

Checks processor information in registry

Suspicious use of WriteProcessMemory

Program crash

Blocklisted process makes network request

Unpacked files

SH256 hash:

147f5039948eb4509e58f245ef664b1cd11ae0eb4d22f27873c2a3de974ef661

MD5 hash:

8d0a616ad73167f9a5ea2b81430815d4

SHA1 hash:

7e59422cd1baa799091873fb3fc9c632a3ea9c93

Link:

https://www.unpac.me/results/9de4db78-c156-45ef-bae6-1bda309b84f4/

SH256 hash:

ae2e9d6d5487e2ff62e528faf8f1ef5a13478eb76da536b2ed737b6a4967f876

MD5 hash:

2e7b3a82f4875e08c62381ed612f5915

SHA1 hash:

838bee45bf9af4a22a6a26c88ee325305bc81df3

Link:

https://www.unpac.me/results/9de4db78-c156-45ef-bae6-1bda309b84f4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ae2e9d6d5487/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae2e9d6d5487e2ff62e528faf8f1ef5a13478eb76da536b2ed737b6a4967f876

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe ae2e9d6d5487e2ff62e528faf8f1ef5a13478eb76da536b2ed737b6a4967f876

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2078748/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/247762/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample