MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b22a99c25c0d0b7c411017e1332f8a5aebc0fa01b508bd57928ea9aa58755172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b22a99c25c0d0b7c411017e1332f8a5aebc0fa01b508bd57928ea9aa58755172
SHA3-384 hash: 0212cafb502d2ac76ed0490d87fc6e8719e4affd2f51b2d9b30ee5cb5e8cfc36f189e7ce7187d9071928d7f4ab8e1e7d
SHA1 hash: 7bebc7f215c4701faf76c423d7b25d4a4f4b8706
MD5 hash: 49f37ba39394d2bf4cc6f3e238e0845f
humanhash: uncle-johnny-may-bakerloo
File name:49f37ba39394d2bf4cc6f3e238e0845f.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'118'208 bytes
First seen:2021-07-19 15:39:26 UTC
Last seen:2021-07-19 16:46:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 52c37101f2973085af5ed972e3b0d2d3 (7 x RaccoonStealer, 1 x RedLineStealer, 1 x DanaBot)
ssdeep 24576:xXKko0JcR/AWXRlYfz3hL4H6TaV0DM6Ugb8fTIM10LbOxKMPkl7yA:xXK8ctHRWzRM6bDVR8fTF1Ibb75
Threatray 2'676 similar samples on MalwareBazaar
TLSH T1C635235074E8D827F0A7493775F1C321BABF3F652938948BB2822BDB4EB069149DD712
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49f37ba39394d2bf4cc6f3e238e0845f.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 15:46:57 UTC
Tags:
trojan danabot
Link:
https://app.any.run/tasks/7118ea42-646f-481e-9465-d0e605c6bdce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172602/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46645468.31905.17362.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8fb4add-ce1c-401e-bff7-d8f66d3e937d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/818374
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b22a99c25c0d0b7c411017e1332f8a5aebc0fa01b508bd57928ea9aa58755172/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 01:18:11 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wivjtqs4bufxyqiqc7qtgl4kllv4b6qbwuel2v4sr2u2uwdvkfza._file
Verdict:
unknown
Similar samples:
056548a367412a9b7fcb2d136d1c425ecfc2b0627de5d6842a5b79cee17d67dd
DanaBot
3c8992a1fa966b9838653d1276934114b1e3536d2d0d47172ef4c67af1ef3b2c
DanaBot
46359d208e338599a211c0d505c3d3537887c0fe112dde239399dc74f1e78ed8
DanaBot
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
DanaBot
556900b033c6969b8c33c7fd00a36e94561acc33357e845876abf791ede3ba27
DanaBot
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3
DanaBot
7ec78d6c2c919a22185cb0000f2e273d66019b8409a3ca47c819d44cedead22e
DanaBot
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
DanaBot
e4938a8244543631ae11deb46e8b4cc3f0a8b8b7c2d4a1246f5bfadb29e0094c
DanaBot
fd0cf58b93453778c312805f74673284da2548389ee866c37cc91431f0ba9cb1
DanaBot
+ 2'666 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210719-36zyxvr5dn/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
9e6ab77f9eb42ff082db4eb17c508deffcb89516d5c1d9218b4ca742858a53f6
MD5 hash:
926e01f410c01c456e6ed298e95383e0
SHA1 hash:
dec1d9d839a278dd9d3a8c9daa3c06e26b5215b2
Link:
https://www.unpac.me/results/962e0cf3-032b-4f8b-950d-e85925d47310/
SH256 hash:
217fd8f25793ea73395100c4b4183cc37bf2729ac3520bfba539c760653864ec
MD5 hash:
33b6cccb96ca82fca5e03ec6b735f72d
SHA1 hash:
843dd297586e7171c6b803cd45ba7ae5df7b4bd1
Link:
https://www.unpac.me/results/962e0cf3-032b-4f8b-950d-e85925d47310/
SH256 hash:
b22a99c25c0d0b7c411017e1332f8a5aebc0fa01b508bd57928ea9aa58755172
MD5 hash:
49f37ba39394d2bf4cc6f3e238e0845f
SHA1 hash:
7bebc7f215c4701faf76c423d7b25d4a4f4b8706
Link:
https://www.unpac.me/results/962e0cf3-032b-4f8b-950d-e85925d47310/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b22a99c25c0d0b7c411017e1332f8a5aebc0fa01b508bd57928ea9aa58755172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe b22a99c25c0d0b7c411017e1332f8a5aebc0fa01b508bd57928ea9aa58755172

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/172602/
  
URLhaus
https://urlhaus.abuse.ch/url/1461110/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1464004/

Comments