MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 babcbf266a1bbb8c6ce3f339d767abb78821c0d71663186dafe7ada1da74e118. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments 1

SHA256 hash:	babcbf266a1bbb8c6ce3f339d767abb78821c0d71663186dafe7ada1da74e118
SHA3-384 hash:	d91b0984dd0e7d86097554dd3806f9187195982933d9e1499df380c9ffceb5418b4a1cfd6706bfdbec27d040d1c51117
SHA1 hash:	e53e7aced0df1ffd8f202e62988df1362b500d5a
MD5 hash:	ed3dd342054d04d320ddba1d821c53dd
humanhash:	tango-utah-sad-beer
File name:	ed3dd342054d04d320ddba1d821c53dd
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'183'232 bytes
First seen:	2021-10-05 03:44:10 UTC
Last seen:	2021-10-05 04:47:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7d2b5fe056f9f1898f2b12424a66461a (2 x RaccoonStealer, 1 x DanaBot)
ssdeep	24576:vO/oDz9FWN7DI8WDydPgzK8kcGSXLS51Y8Rmh2Rf0VYs0:vZzPsWDz3GQSVQVY
Threatray	5'973 similar samples on MalwareBazaar
TLSH	T160451230B7A0C035F4B362F858B693B86A293DB15F3492CF16E11AEA52756D8DD30787
File icon (PE):
dhash icon	e8e8e8e8aa66a499 (51 x RaccoonStealer, 27 x ArkeiStealer, 22 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/194812/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.6552.28516.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/615c0615e3d213d202b76dd1/reports/e9c4f09d-4f17-43a2-8f24-23aaa5d9eff0/overview

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/115908c7-a9ca-4d32-ac00-e0525724e324

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/864396

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/babcbf266a1bbb8c6ce3f339d767abb78821c0d71663186dafe7ada1da74e118/

Threat name:

Win32.Trojan.Racealer

Status:

Malicious

First seen:

2021-10-05 03:45:05 UTC

AV detection:

18 of 45 (40.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xk6l6jtkdo5yy3hd6m45oz5lw6ecdqgxczrrq3np46w2dwtu4ema._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery spyware stealer trojan

Link:

https://tria.ge/reports/211005-ea3daahdhn/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

142.11.242.31:443
192.119.110.73:443
192.210.222.88:443

Unpacked files

SH256 hash:

e8e1c56c1b49d24a086fc0932dfeaa22b618f76ee7ad1826eb0f6777dd57f008

MD5 hash:

9d9e4745028484d8dd345c1c3feaca9f

SHA1 hash:

fcd973cd998727aaf68ff8a37aa0e468811af5e1

Link:

https://www.unpac.me/results/5403ede8-91d4-4fba-bcb4-0175f9ae7882/

SH256 hash:

f8ab8c717cf675d5883b09043b1fcd139699781c9338baf16792288786256b24

MD5 hash:

bb420dd820788c7ebcff885e5028f01d

SHA1 hash:

fa10e7db51555f427ae2a545f403db720d59aff9

Link:

https://www.unpac.me/results/5403ede8-91d4-4fba-bcb4-0175f9ae7882/

SH256 hash:

babcbf266a1bbb8c6ce3f339d767abb78821c0d71663186dafe7ada1da74e118

MD5 hash:

ed3dd342054d04d320ddba1d821c53dd

SHA1 hash:

e53e7aced0df1ffd8f202e62988df1362b500d5a

Link:

https://www.unpac.me/results/5403ede8-91d4-4fba-bcb4-0175f9ae7882/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/babcbf266a1b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/babcbf266a1bbb8c6ce3f339d767abb78821c0d71663186dafe7ada1da74e118

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe babcbf266a1bbb8c6ce3f339d767abb78821c0d71663186dafe7ada1da74e118

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/194812/

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-10-05 03:44:12 UTC

url : hxxp://88.99.21.170/root.exe