MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba
SHA3-384 hash: 0cb3de5b34686b768e2283272e31f1f6067dbc634ad827ed796d75048b7b4b6f8712632da28de97f2978a18231311603
SHA1 hash: 0b6c1e852d817dcd609b62c32cc4bada63de3d53
MD5 hash: 4abb2ec8fb0125dc26a53eb690656618
humanhash: thirteen-stairway-white-fruit
File name:4abb2ec8fb0125dc26a53eb690656618.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'161'216 bytes
First seen:2022-02-23 01:31:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ccd6a4e90a04c24d49f4949717a298d1 (2 x ArkeiStealer, 2 x Loki, 1 x DanaBot)
ssdeep 24576:+PB5KiCAWM8lnEM7ZKkJUqXlEMcmVRW1x4EBB7pnOCgg:YmMah9rmq1oGRw9jOC1
TLSH T19A351210BA90D035F5BB12F489BA83BDB52EBEB1971551CB62D46ADE0634BE0DC3131B
File icon (PE):PE icon
dhash icon 25ac137839939b91 (12 x Smoke Loader, 7 x Amadey, 5 x RedLineStealer)
Reporter abuse_ch
Tags:DanaBot exe


Avatar
abuse_ch
DanaBot C2:
5.9.224.217:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.9.224.217:443 https://threatfox.abuse.ch/ioc/390195/

Intelligence

File Origin
# of uploads :
1
# of downloads :
564
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba
Verdict:
Suspicious activity
Analysis date:
2022-03-01 01:29:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23e64a2c-5180-44bf-8ae5-5470c2ae2302

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243525/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Dropper.Generickdz-9939782-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
DNS request
Сreating synchronization primitives
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7060/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit mokes packed
Link:
https://www.filescan.io/uploads/62158e97875593a3cc06f496/reports/e43bfa29-a424-412b-bca9-e847458d1df5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42fb2e13-8d2c-4c8e-a20f-d1e85732e167
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/944411
Signature
Delayed program exit found
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 01:32:15 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=widvg4aona4roptdyyd32lt5uhnilm6un56gpohexamyct7ytc5a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery spyware stealer suricata
Link:
https://tria.ge/reports/220223-bxzzwshffl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Blocklisted process makes network request
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Danabot Key Exchange Request
Unpacked files
SH256 hash:
1634c5ad7f22bfdc520fc867c46a43b060cf310756e041bcc4a04cd1b9257b7c
MD5 hash:
959a6d13183772446123cf3f740a4322
SHA1 hash:
63149af3e9d0ce68ba3926b7c9ae7893c2b2af85
Link:
https://www.unpac.me/results/d896080b-5d19-4ed4-b7c7-00cfc45d3aff/
SH256 hash:
b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba
MD5 hash:
4abb2ec8fb0125dc26a53eb690656618
SHA1 hash:
0b6c1e852d817dcd609b62c32cc4bada63de3d53
Link:
https://www.unpac.me/results/d896080b-5d19-4ed4-b7c7-00cfc45d3aff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243525/

Comments


Avatar
Yafnag commented on 2022-02-25 18:39:19 UTC

New Danabot version : 2278

Affiliate ID : 5

Tor domain : ockiwumgv77jgrppj4na362q4z6flsm3uno5td423jj4lj2f2meqt6ad.onion

C2_1 : 5.9.224.217:443
C2_2 : 23.106.122.14:443
C2_3 : 192.236.161.4:443