MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313
SHA3-384 hash: 9fdcd29452b384d9902cc097926c9717c45b5c79dd9f7f02ff26ca2a3dc20df65b9feab1614adbefef5903429a37469d
SHA1 hash: c2c9444fe6215578de88ee1d9577d636388d16e3
MD5 hash: d3d0d747febe769eff3b01ddf5317fd1
humanhash: east-washington-idaho-tango
File name:d3d0d747febe769eff3b01ddf5317fd1
Download: download sample
Signature DanaBot
Create hunting rule
File size:5'515'201 bytes
First seen:2021-12-20 14:16:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:pZIZJO3bTwdv5UphPX1cR9lF0cgJwF/yTqe9TGXD+nq+cDlmXp7u+kG/AC7wzNGO:piZJOrK5wPMgJWst9CGSRmXZ34f
Threatray 2'644 similar samples on MalwareBazaar
TLSH T1FF463326EFA28B29C6BF0DB1FA20E24BD617FC6B815ED13D6194794F0A714708853673
File icon (PE):PE icon
dhash icon b279c886d0e87192 (2 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215475/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for analyzing tools
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2760/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61c09065ec6c6c14a9e52dbe/reports/45108408-b380-4888-966f-3af12cdaf823/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bf78818-becd-4ba0-80a6-ccd474da4a76
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910296
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 542775 Sample: Oa1GNJ9qz6 Startdate: 20/12/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->45 47 5 other signatures 2->47 7 Oa1GNJ9qz6.exe 25 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\outwitvp.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\napaea.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->27 dropped 29 3 other files (none is malicious) 7->29 dropped 10 outwitvp.exe 3 18 7->10         started        15 napaea.exe 7 7->15         started        process5 dnsIp6 37 ip-api.com 208.95.112.1, 49756, 80 TUT-ASUS United States 10->37 39 192.168.2.1 unknown unknown 10->39 31 C:\Users\user\AppData\Local\...\fuiqiqrq.vbs, ASCII 10->31 dropped 59 Antivirus detection for dropped file 10->59 61 Query firmware table information (likely to detect VMs) 10->61 63 May check the online IP address of the machine 10->63 17 wscript.exe 12 10->17         started        33 C:\Users\user\AppData\...\DpEditor.exe, PE32 15->33 dropped 65 Machine Learning detection for dropped file 15->65 67 Hides threads from debuggers 15->67 69 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->69 21 DpEditor.exe 15->21         started        file7 signatures8 process9 dnsIp10 35 iplogger.org 148.251.234.83, 443, 49757 HETZNER-ASDE Germany 17->35 49 System process connects to network (likely due to code injection or exploit) 17->49 51 May check the online IP address of the machine 17->51 53 Query firmware table information (likely to detect VMs) 21->53 55 Hides threads from debuggers 21->55 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 14:17:20 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
075811c1b041821aa0902e5035ab2177e6c97c451896ee954d98486d049face6
DanaBot
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
DanaBot
108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4
DanaBot
12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba
DanaBot
1c031533f2717560f8bc0cb2019ec55ae7423490e51c811e30b85d382cbff5ec
DanaBot
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
DanaBot
70797599ab85bc7961922e179e9836d64e85a9ed21f85877442529d0d23daad5
DanaBot
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c
DanaBot
9642c83319b6f287e5feaca3edb50bd447a9cd41cdb88d6e588aa569bff23552
DanaBot
ee53cf56f393658949e4756c48e63e0c02542c1403c87e72d926bfb6b0306809
DanaBot
+ 2'634 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker evasion themida trojan
Link:
https://tria.ge/reports/211220-rlpmsabehq/
Behaviour
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
14d64fdea5829a4292868861260d92ae1189490ba1887cfea68a6d5d5f69576a
MD5 hash:
5794579a7fbcd2ff5cebfae396a7b40a
SHA1 hash:
6b10988a8deb6a45407c2a7fe7b8895ebb4d9132
Link:
https://www.unpac.me/results/6f5b0fd5-e006-4be5-8292-ffc5ab0b5a87/
SH256 hash:
fad45c9c77c6e822083c3714aeb6090ed5035fcabec5236f34fd007eb7101730
MD5 hash:
116d4d09147bc88329a0ce8f4ae7a201
SHA1 hash:
57399eede78e815a31083a5188a727108e08e4b9
Link:
https://www.unpac.me/results/6f5b0fd5-e006-4be5-8292-ffc5ab0b5a87/
SH256 hash:
c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313
MD5 hash:
d3d0d747febe769eff3b01ddf5317fd1
SHA1 hash:
c2c9444fe6215578de88ee1d9577d636388d16e3
Link:
https://www.unpac.me/results/6f5b0fd5-e006-4be5-8292-ffc5ab0b5a87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe c6aa02a56f11f479f9ae81a74af6cdf1fd8a13ab88e569aa01ab37604bbfc313

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215475/
  
URLhaus
https://urlhaus.abuse.ch/url/1902082/

Comments


Avatar
zbet commented on 2021-12-20 14:16:47 UTC

url : hxxp://lionek12.top/downfiles/maysin.exe