MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c70d30eabc072c72aa4c934ec92ea25b0e75c53a006b510e35ad1aefe0892912. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c70d30eabc072c72aa4c934ec92ea25b0e75c53a006b510e35ad1aefe0892912
SHA3-384 hash: 981cf35e1817ed614be46cb3b6f0a00b43d1b54559166127998ab1172d5edb06cd24b5f1853dbf33d5833522895c6107
SHA1 hash: a7d5aaf8e3fadd28ba35a69b96100c77279f6218
MD5 hash: c6bd3fce10e7e9a7350b83cf2926bb2d
humanhash: william-charlie-pizza-enemy
File name:SecuriteInfo.com.Variant.Fragtor.23360.18776.21974
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'187'840 bytes
First seen:2021-09-20 17:00:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7273bdafbe151bbfd9b7057bf9d812ba (2 x RaccoonStealer, 2 x DanaBot, 1 x CryptBot)
ssdeep 24576:W9TUrtxH0xUfuWmDgIWPb48nj6EkmGMm7g46x4lEgN:z0SuYLPs8j6EIMqg9xKHN
Threatray 5'531 similar samples on MalwareBazaar
TLSH T117451224A6A1C035EDEB01FC59BAD36C6A397EB06B7044CB639626ED25346D3DC7034B
File icon (PE):PE icon
dhash icon 9824e7d0c4e7215c (11 x RedLineStealer, 5 x Smoke Loader, 2 x RaccoonStealer)
Reporter SecuriteInfoCom
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189532/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.23360.18776.21974.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35ff4127-73ff-401b-9bdc-9129c9466899
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/854282
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c70d30eabc072c72aa4c934ec92ea25b0e75c53a006b510e35ad1aefe0892912/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:01:21 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
078f9ef51158a0583dc392a8b2d9db4830c3ed9bd7c3e46a96c82046d8b53ba0
DanaBot
09a6f1762ad56add49d58eb4d3b4dc7efeb72599c641d3ef2c6dbe3488196166
DanaBot
0dbae723b61eebd1615384950c28b6f11f69967326b6d66d366e926a47e7c199
DanaBot
247b4e32c0a8a4d4dea1362f22fa214ef5ce234ffba6d34cba720c6b71da61ec
DanaBot
37959fd0b7360fc0aedb35ac28e39aa474e3b36ed4972f600b5db47da19d0bf8
DanaBot
5c3162c36576b287b91705301199e60485f31ab98b4bd11e8ed4445b8131cf08
DanaBot
ae6ec966a4d2912897da41c2e20296c0cc2ac5b30fd57ee20420bd7212e98042
DanaBot
cb2244f51a480169293e39a16b104aa14e98543b17b76b3ab5a16640d48d29cc
DanaBot
d37a741c4abb937ef11a2b0536a641db1b50859be5310eb8781bf18bbdd9b9bd
DanaBot
ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150
DanaBot
+ 5'521 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210920-vjk4csefb6/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
23.254.144.209:443
23.254.227.74:443
192.255.166.212:443
Unpacked files
SH256 hash:
90c80767506fa959353f9853bc6153c7425ef3e666cfdabab78366f8ce989c12
MD5 hash:
738b0b95544e5800d9a8284cf6ab4301
SHA1 hash:
837347961e10597f335a62e2bb3a832516c11617
Link:
https://www.unpac.me/results/97c9fed2-5b53-49b0-a625-22fce72adfb5/
SH256 hash:
3aed5f8047308acb280a559ac9651ef7e4bea9b2a2aa521b1c677ba70699da0e
MD5 hash:
a96583a1acc5006ae20d8e4f5c71e232
SHA1 hash:
7fb39cf40ac900c53f51ce9b5e2671e7e082b86e
Link:
https://www.unpac.me/results/97c9fed2-5b53-49b0-a625-22fce72adfb5/
SH256 hash:
c70d30eabc072c72aa4c934ec92ea25b0e75c53a006b510e35ad1aefe0892912
MD5 hash:
c6bd3fce10e7e9a7350b83cf2926bb2d
SHA1 hash:
a7d5aaf8e3fadd28ba35a69b96100c77279f6218
Link:
https://www.unpac.me/results/97c9fed2-5b53-49b0-a625-22fce72adfb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c70d30eabc072c72aa4c934ec92ea25b0e75c53a006b510e35ad1aefe0892912

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe c70d30eabc072c72aa4c934ec92ea25b0e75c53a006b510e35ad1aefe0892912

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1635827/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189532/

Comments