MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae
SHA3-384 hash: 4e162d421968d8a4b20950530e8df7d660f742711d571ba3dd62fb071a8ebdcaa76c6f97ff2cc040949fbd2395ce9f5d
SHA1 hash: ae65d5be3e5122512c536d2b6b80c3640b91c11e
MD5 hash: fb0fd1471d888d74a6e0478ef4ceaf31
humanhash: cup-juliet-uniform-november
File name:fb0fd1471d888d74a6e0478ef4ceaf31
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'167'360 bytes
First seen:2021-10-26 10:05:19 UTC
Last seen:2021-10-26 12:46:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a756627435b382dc3646987f64d479a5 (3 x Smoke Loader, 1 x DanaBot, 1 x CryptBot)
ssdeep 24576:XsOLZYf4xG7dOKr3DWOQvdOtU0lG4QI6Bf0lV95QKP7Azvyxa:X6gxoJrdeVc80lOcAzqx
Threatray 6'891 similar samples on MalwareBazaar
TLSH T166452320B2A0D4F2F6798B308554CBD11A6F3DC3D6AC46679B8B372E5D302D15A2637E
File icon (PE):PE icon
dhash icon fcfcd4d4d4dcd8c0 (52 x RaccoonStealer, 28 x RedLineStealer, 6 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200146/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.1153.13645.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed
Link:
https://www.filescan.io/uploads/6177d30e9a5a1e91c5d46035/reports/b5198fb1-33e4-4996-8dbb-c614477e1722/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08df77d4-34b5-4d0e-ada1-52d9cc33e308
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/876893
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 10:06:08 UTC
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjmoaa4ihzxppzhbwuuj7qqbvds6v3wil7rphae6ncvnqq4qm2xa._file
Verdict:
malicious
Similar samples:
0345531c814ad62c6c2c73de6fc6e540974fa5ddba3dcbeaa9a7850ad7929a76
DanaBot
18ae9ea1c1d71b33777c8772248580f17a2bcecf1aa0e8f71ec15d4b33d5253b
DanaBot
4e19a6c2fb2fd245e5c2097ff4d91aa86c4f49aaa4fbdab4cae046e3e02d0e52
DanaBot
7bf358e7bffe42b707987d1e14465a5fd91fb4468b8bb5cc2bda2fd95ef801d1
DanaBot
8d2fc9db7c9f5dcf80faef24bf99af1a4553007d810981fef4026f3fce02a945
DanaBot
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
DanaBot
aa45891e05a5365976defde1926bcf667f207b61af7cc455a1b7e1bd5fabba05
DanaBot
c0c908fdb5c67cd4ab56ab911320adaf68e4bc9a230a4a04eaf2cf6ae92443f4
DanaBot
f8f1569945e8adb87cb91509db4129d64a878863a347dbea1b21b70e1a21f973
DanaBot
+ 6'881 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery trojan
Link:
https://tria.ge/reports/211026-l43z8shbc5/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
Unpacked files
SH256 hash:
885e7a1c0fb0dffee3946d220f05c5aecdab8fc5cb1358e7f427f8381cc460e5
MD5 hash:
cce9f3bdc2b79e828f40f8416ac808df
SHA1 hash:
20d9a8215195aec47afaeab474477e7d7c03ab22
Link:
https://www.unpac.me/results/f9a1abdb-7801-4b43-88c8-b807efc119cc/
SH256 hash:
7e4e0e0d7969a4d5e96777d9f4f2b0d10bc46ac353293b3de2e6e84ce654a554
MD5 hash:
6ba480283e3a385c5996170affa07772
SHA1 hash:
eb18c575e17a449c39f8ac3b4433ff19cba8f4ac
Link:
https://www.unpac.me/results/f9a1abdb-7801-4b43-88c8-b807efc119cc/
SH256 hash:
ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae
MD5 hash:
fb0fd1471d888d74a6e0478ef4ceaf31
SHA1 hash:
ae65d5be3e5122512c536d2b6b80c3640b91c11e
Link:
https://www.unpac.me/results/f9a1abdb-7801-4b43-88c8-b807efc119cc/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ba58e003883e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1715155/
Cape
Cape
https://www.capesandbox.com/analysis/200146/

Comments


Avatar
zbet commented on 2021-10-26 10:05:21 UTC

url : hxxp://23.106.124.90/rokyh.exe