MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f
SHA3-384 hash: e6437aedab28fd3014a5db9803d8403e0a0a60d42015175c74a37f450a9ead21c5c251fff0c01c2aaae70b3167258591
SHA1 hash: d0782e8117aeca79a9f07dae8fb3715733fc40ce
MD5 hash: eed5abef445c75bb537c544ea823c811
humanhash: sodium-may-lion-early
File name:eed5abef445c75bb537c544ea823c811.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'346'752 bytes
First seen:2021-06-10 10:14:29 UTC
Last seen:2021-06-10 10:50:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f40b232cbe413f9d51f8dd5200af3be3 (1 x DanaBot, 1 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 98304:CaF6hvEr0Om03eXfLALps5ToKpmphlWflmO39q+0ZFZT/xmewah4Xr5DDdfGR:4Ertm0OUZp3wgOtq+0bFwjahqrrg
Threatray 109 similar samples on MalwareBazaar
TLSH 63563320B7A1C035F9F227F9ECB50675D5357EA29B7410CF52CE1AEA8A206D0BD31B16
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E12B3D810276E5300981CDBBE7CDA010.exe
Verdict:
Malicious activity
Analysis date:
2021-06-10 03:09:16 UTC
Tags:
trojan opendir evasion loader stealer vidar netsupport unwanted danabot rat redline
Link:
https://app.any.run/tasks/74908a7d-83f1-47f7-b760-c695fa2942d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165814/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46461932.16695.4586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Changing a file
Modifying an executable file
Creating a file in the %temp% directory
Reading critical registry keys
Forced system process termination
Deleting a recently created file
Sending a TCP request to an infection source
Infecting executable files
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800095
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432496 Sample: xYKsdzAUj8.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 9 xYKsdzAUj8.exe 1 2->9         started        process3 file4 39 C:\Users\user\Desktop\XYKSDZ~1.EXE.dll, PE32 9->39 dropped 61 Detected unpacking (changes PE section rights) 9->61 63 Detected unpacking (overwrites its own PE header) 9->63 13 rundll32.exe 9->13         started        signatures5 process6 signatures7 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->65 67 Contains functionality to steal Internet Explorer form passwords 13->67 69 Bypasses PowerShell execution policy 13->69 71 Uses schtasks.exe or at.exe to add and modify task schedules 13->71 16 rundll32.exe 8 23 13->16         started        process8 dnsIp9 41 192.210.198.12, 443, 49721 AS-COLOCROSSINGUS United States 16->41 37 C:\Users\user\AppData\...\tmp6362.tmp.ps1, ASCII 16->37 dropped 55 System process connects to network (likely due to code injection or exploit) 16->55 57 Tries to harvest and steal browser information (history, passwords, etc) 16->57 21 powershell.exe 16 16->21         started        24 powershell.exe 16 16->24         started        26 schtasks.exe 1 16->26         started        file10 signatures11 process12 signatures13 59 Uses nslookup.exe to query domains 21->59 28 nslookup.exe 1 21->28         started        31 conhost.exe 21->31         started        33 conhost.exe 24->33         started        35 conhost.exe 26->35         started        process14 dnsIp15 43 localhost 28->43 45 8.8.8.8.in-addr.arpa 28->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-10 10:15:26 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcpv5sokdiuyzren63qunvxbvaysci5aj5kdjrtvz2kokquvirxq._file
Verdict:
malicious
Similar samples:
3a69d53fffc2b8fe5dc264bf431187612503af38ec137d01e5e6f5a8ff6128c6
DanaBot
558b7e82732b72e64fa83f6acbeab78e90ea7e3a9fc91e54d326c2304f2433b9
DanaBot
57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a
DanaBot
734f6783c377c10fd6816563b4eaf0a0c1f5fd30d0ceb271d5df53eabf553a49
DanaBot
91aba74042505ab4b44295a886987e140510d6d9a38212e36e40f2433d64afcd
DanaBot
aca06c84c79542c68aee34141e53d43e865d9d0cce2fab122270cf7c230dca77
DanaBot
c3a37f9ca1adb4ac16434269e909bbc87fe684cfaf414473ecd8edc499e59fc5
DanaBot
cf0a8e3f14b2483a5b62385f141d63314f239cbd604b87748feb9c53627c4a8d
DanaBot
dc3d8c3f1d1991dca9dd82a1943e519e4049ee0a34f89af6c961adbfcd1a6918
DanaBot
eb2f15018cb74ad0c97044c7687df83445d45d6752104b0cbc9fad9ed22813be
DanaBot
+ 99 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210610-9zq9cs96gx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
192.210.198.12:443
37.220.31.50:443
184.95.51.183:443
184.95.51.175:443
Unpacked files
SH256 hash:
cd6c5efbf02eb7cfea370b155709954c250f84936141ea154f410fc3a566ef16
MD5 hash:
3525c12ea27c47582862a40853444206
SHA1 hash:
34ffe572eab974847383ef1c24de682e9d78de04
Link:
https://www.unpac.me/results/3da12d55-52b0-4669-8214-73de8dd37c66/
SH256 hash:
ab5742f22795a19c1cff270d3d3fef390e43a6a12bba6b69bbe54d479f9502f7
MD5 hash:
d737e87a8c985246adb399d0a8bf9b3b
SHA1 hash:
2ed4f18c905108e45535ea0e8fa7cb2187675f87
Link:
https://www.unpac.me/results/3da12d55-52b0-4669-8214-73de8dd37c66/
SH256 hash:
bf39a740c4616a3498f31b530ff1786e720af9660294dfc8e3f1c7c5d2a91b0a
MD5 hash:
e50083ff4f798ba8843b9b72fe0e7036
SHA1 hash:
1c05de76b7d764f318fe64081597716066677218
Link:
https://www.unpac.me/results/3da12d55-52b0-4669-8214-73de8dd37c66/
SH256 hash:
b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f
MD5 hash:
eed5abef445c75bb537c544ea823c811
SHA1 hash:
d0782e8117aeca79a9f07dae8fb3715733fc40ce
Link:
https://www.unpac.me/results/3da12d55-52b0-4669-8214-73de8dd37c66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe b09f5ec9ca1a298cc48df6e146d6e1a8312123a04f5434c675ce94e54295446f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1271412/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1338483/
Cape
Cape
https://www.capesandbox.com/analysis/165814/

Comments