MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81
SHA3-384 hash: 7eb783edec18aaf02236123445ba6967c367a4906e6bd9b70666ee762ae4457c0f142273833df88e3ee378d76dfbedf3
SHA1 hash: d98a827d9d8f754660d85135ed6a7d2af05ffaa5
MD5 hash: 3642213b20a460c1c66d2dc30642365c
humanhash: coffee-tennis-steak-september
File name:3642213b20a460c1c66d2dc30642365c
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'257'984 bytes
First seen:2021-10-28 23:25:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e7e707cb5a6cd20211e77d5d46383cea (16 x RaccoonStealer, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep 24576:41OnentDRLmlBcgD7z3ope3qDFgnTjvltsbO9:4wADRLYBc8Q4qDETz
Threatray 6'990 similar samples on MalwareBazaar
TLSH T15645120076A2C031F9F252F856769369B93FB9A16B3850DB22D51AEC4B756E0FC31B07
File icon (PE):PE icon
dhash icon b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Jaik.48956.26159.7248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3685e556-1725-451b-a72f-536207c8b8af
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/878937
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81/
Threat name:
Win32.Ransomware.LockbitCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 23:26:06 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6psogdcbevxqecwmaztdj7wvgpsnlxpvkmnvrepmb75an2ip6aq._file
Verdict:
malicious
Similar samples:
11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c
DanaBot
1919a6cdebe6a58cdf4ce6748c2caf927998f8e1529ca7df8d831fd429b4190f
DanaBot
1ab4626c0f91392f958aabda6a752040da109567af3b34fbd0ddd62c616e3417
DanaBot
42e22bf3a9630d312d795db190f16cb7f0d3b51b9903695ed678dfc190240345
DanaBot
4a22c0f9ba13ab18950c865a0d164a9840359712c76501e5f64f54e740441a79
DanaBot
4f4432ad4cc8c5d43dd2fe135717bdd65f417f91ada36cee4ae8f9af0269f8cb
DanaBot
84dcb2e1236f428d52bd4cb3f5d5e7a6c79d44778858012b746c1658b1a844fd
DanaBot
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
DanaBot
ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae
DanaBot
f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88
DanaBot
+ 6'980 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/211028-3et5gahahj/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
192.119.110.73:443
192.236.192.201:443
192.210.222.88:443
Unpacked files
SH256 hash:
8d118f86a7847472abe790449aeeabf432d1b11c09663b25e65be2a6c62d431e
MD5 hash:
ad99f50a843d90cde4eda16c19f57186
SHA1 hash:
1dde599726e1247e43506f6085beccc01afdc28a
Link:
https://www.unpac.me/results/898dceba-e037-4f79-852e-37fea945b8a1/
SH256 hash:
bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81
MD5 hash:
3642213b20a460c1c66d2dc30642365c
SHA1 hash:
d98a827d9d8f754660d85135ed6a7d2af05ffaa5
Link:
https://www.unpac.me/results/898dceba-e037-4f79-852e-37fea945b8a1/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bf9f27186209/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe bf9f271862092b781056603331a7f6a99f26aeefaa98dac48f607fd037487f81

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1724535/

Comments


Avatar
zbet commented on 2021-10-28 23:25:53 UTC

url : hxxp://45.138.172.114/sameini.exe