MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32
SHA3-384 hash: ae337b02a91dc0260040f597f590d8c20f1ef9425b142865731975615be4d02177163072d76bba57abebff58ca004545
SHA1 hash: 5d8814ebcaabf09d9e7b033e105371367a9e09f2
MD5 hash: 2809de5c1d9de29a85dcd05e179b70e4
humanhash: avocado-stream-river-freddie
File name:2809de5c1d9de29a85dcd05e179b70e4.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'265'551 bytes
First seen:2021-05-23 06:38:02 UTC
Last seen:2021-05-23 07:01:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:ZH1ZKjj8ndBMq4HVf84B3htQoJ6oZ5GTCB1dVp1Oj:h1ZSj8ndlj4ntQofGTC9VpUj
Threatray 113 similar samples on MalwareBazaar
TLSH E3452391A98A983AFD908CF0DE31AB1D94B76C660534E32B03A6FC9E75778944F107D3
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2021-05-22 20:24:35 UTC
Tags:
installer stealer trojan loader autoit evasion
Link:
https://app.any.run/tasks/6a19ce7e-e78a-43e2-9d94-784752627eaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Ffeq-9854726-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/789398
Signature
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 421794 Sample: UUPm7ZsyZQ.exe Startdate: 23/05/2021 Architecture: WINDOWS Score: 100 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 6 other signatures 2->65 10 UUPm7ZsyZQ.exe 25 2->10         started        13 SmartClock.exe 2->13         started        15 SmartClock.exe 2->15         started        process3 file4 45 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->49 dropped 51 3 other files (none is malicious) 10->51 dropped 17 vpn.exe 7 10->17         started        19 4.exe 4 10->19         started        process5 dnsIp6 23 cmd.exe 2 17->23         started        55 192.168.2.1 unknown unknown 19->55 43 C:\Users\user\AppData\...\SmartClock.exe, PE32 19->43 dropped 26 SmartClock.exe 19->26         started        file7 process8 signatures9 67 Submitted sample is a known malware sample 23->67 69 Obfuscated command line found 23->69 71 Uses ping.exe to sleep 23->71 73 Uses ping.exe to check the status of other devices and networks 23->73 28 cmd.exe 3 23->28         started        31 conhost.exe 23->31         started        process10 signatures11 75 Obfuscated command line found 28->75 77 Uses ping.exe to sleep 28->77 33 PING.EXE 1 28->33         started        36 Quali.exe.com 28->36         started        38 findstr.exe 1 28->38         started        process12 dnsIp13 53 127.0.0.1 unknown unknown 33->53 40 Quali.exe.com 36->40         started        process14 dnsIp15 57 LrSfxvUGrKDUSKClHcvcmajDA.LrSfxvUGrKDUSKClHcvcmajDA 40->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-05-22 22:44:51 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2e00fe5b5239656d02676e4e95e200ef21c1d1986e07d4c8d64d16ec1d6e821f
DanaBot
497c07b12b4e7f9082b872ef2aac2e9619f1dbc82c94993724cd246dd54b38c4
DanaBot
6b956e92b865ecc772c63964eee6d3ef9fcb56eea1b62c52130486d09b006542
DanaBot
70c29fa01c7cb936c92b0df9b8fc1faea3c7108e7dae3d32aa0b889b392dc53d
DanaBot
7deefc102955d15af316521068fd9df9474507a3f0d4ef0c8cfbae498dd8fdef
DanaBot
88b4dc586771eaca754612a6b980f435506220cb1bf9ff7a4b6ac3bcbe08b0f8
DanaBot
8b8a48214f0d0d1a9e210e5f871cc5f608ccb48b6079ec4bcdd5538adbd8d8f2
DanaBot
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
DanaBot
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
DanaBot
fb5d2b6d9ec1b9c07e64f6b9eb148099f0b43d58dc867102c02b16a9a9152022
DanaBot
+ 103 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210523-nwbkta9q12/
Behaviour
Checks processor information in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Malware Config
C2 Extraction:
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe ae9aabd03661ced937c594cf83df2303a5991e3c2382474111e69322e6f22f32

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1271364/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-23 07:15:26 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [F0002.002] Collection::Polling
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0045] File System Micro-objective::Copy File
8) [C0046] File System Micro-objective::Create Directory
9) [C0048] File System Micro-objective::Delete Directory
10) [C0047] File System Micro-objective::Delete File
11) [C0049] File System Micro-objective::Get File Attributes
12) [C0051] File System Micro-objective::Read File
13) [C0050] File System Micro-objective::Set File Attributes
14) [C0052] File System Micro-objective::Writes File
15) [E1510] Impact::Clipboard Modification
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
18) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
19) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
20) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
21) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
22) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
23) [C0017] Process Micro-objective::Create Process
24) [C0038] Process Micro-objective::Create Thread
25) [C0018] Process Micro-objective::Terminate Process