MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b717b1d98ceed56c2778c574bcb8e3fc3d35d876947f3020093a8e532100d598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	b717b1d98ceed56c2778c574bcb8e3fc3d35d876947f3020093a8e532100d598
SHA3-384 hash:	665590881ca4ff096fd3d23a9bbe81583f04f69576982de082e18e3ab9c931898948ab26510ea7ffcfa06b1885d6197e
SHA1 hash:	273af99b8ed992dbfb35c2e30863494adebbde4e
MD5 hash:	bf8ef0147cfe755d6a3d491a69cf9325
humanhash:	beer-william-high-mango
File name:	bf8ef0147cfe755d6a3d491a69cf9325.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'169'408 bytes
First seen:	2021-08-15 07:47:27 UTC
Last seen:	2021-08-15 08:51:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7516bd35cc21aff34ab4b704c018e246 (3 x RaccoonStealer, 3 x DanaBot, 3 x Smoke Loader)
ssdeep	24576:L+54/pLt6Cz2CNAUgb/rIhSdhxpkI/ZPZkZC8oV14:LpQCfAUgbcSPfkIxPGJf
Threatray	3'892 similar samples on MalwareBazaar
TLSH	T11D450234F6E0C439E5E701F1596983FD7439B9705B2060CBA2D62BEAEB352D89C30697
dhash icon	d824e790c4e72158 (30 x RaccoonStealer, 18 x RedLineStealer, 16 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

396

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bf8ef0147cfe755d6a3d491a69cf9325.exe

Verdict:

Malicious activity

Analysis date:

2021-08-15 07:49:17 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/11018c57-42fc-4c7d-a5cb-954e7a31aa9b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/179332/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop18.28324.30663.18662.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7558806a-043c-46a8-b079-ea912ed28b18

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/833124

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b717b1d98ceed56c2778c574bcb8e3fc3d35d876947f3020093a8e532100d598/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-14 17:18:23 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210815-8xynn9wdbj/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

c5ca9acbb7446804cd8074e63e0aa0c6a0293f8948ac99deccce1e730ecfbbd5

MD5 hash:

2cc9381935c5fe678fd34492a79bd415

SHA1 hash:

ea3339b3f548e019cb2d133dc774de880cf29e87

Link:

https://www.unpac.me/results/eb194ee3-84eb-4a27-a3f4-fc036a4665d2/

SH256 hash:

c0ef95ce4e56c73535393927df980b4c9525936b728d6443d7927a8fcefd9be9

MD5 hash:

49261361b1097a26e0fc4d3e75b67adf

SHA1 hash:

34d7bf3df5de65f8f4f9b205e0538026b70a21b7

Link:

https://www.unpac.me/results/eb194ee3-84eb-4a27-a3f4-fc036a4665d2/

SH256 hash:

b717b1d98ceed56c2778c574bcb8e3fc3d35d876947f3020093a8e532100d598

MD5 hash:

bf8ef0147cfe755d6a3d491a69cf9325

SHA1 hash:

273af99b8ed992dbfb35c2e30863494adebbde4e

Link:

https://www.unpac.me/results/eb194ee3-84eb-4a27-a3f4-fc036a4665d2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b717b1d98ceed56c2778c574bcb8e3fc3d35d876947f3020093a8e532100d598

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe b717b1d98ceed56c2778c574bcb8e3fc3d35d876947f3020093a8e532100d598

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1490082/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1495647/

URLhaus

https://urlhaus.abuse.ch/url/1461110/

Cape

https://www.capesandbox.com/analysis/179332/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample