MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8b2d7766554c5e276f4dcd011f0856603dc8b42895ba60c1e0fba270df616ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8b2d7766554c5e276f4dcd011f0856603dc8b42895ba60c1e0fba270df616ee
SHA3-384 hash: d084436cfd85e81dadb463c423e617737b8a81c8bbf99bf0e056c71afc7bbe14da4a5632ee9bd9c31fc3c1ea04620e3c
SHA1 hash: 692b7a37755903032732cb697ee8f06335bbcded
MD5 hash: b8a2adb46798ea4ac7961ed4af59bd08
humanhash: sodium-mirror-jupiter-mobile
File name:b8a2adb46798ea4ac7961ed4af59bd08.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'595'574 bytes
First seen:2021-09-23 11:04:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:5ZZjE6aoN9zy7pFo//7XLl+T8MWbvq/U/7IyjfXAlCda2iTCsAnNRzu5WJ7hAx2S:5re49eHczXLl+qCK7NXQ2i5AnNtuj0E
Threatray 5'572 similar samples on MalwareBazaar
TLSH T1F56633C7A32DE5F1C4405772DF609BAA6EBB3D590920A48A36F875AEFFB1505C060933
File icon (PE):PE icon
dhash icon 02e8e8e8f4e4ec28 (1 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://diayco04.top/download.php?file=lv.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 13:12:04 UTC
Tags:
trojan evasion
Link:
https://app.any.run/tasks/78c23e6f-dcec-4b1a-9462-b3d91fbf6a3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190729/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e426911-0143-4c82-aed5-e7f3459c2ab8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856790
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489227 Sample: W6POpl68MP.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->62 64 3 other signatures 2->64 7 W6POpl68MP.exe 25 2->7         started        10 IntelRapid.exe 2->10         started        13 IntelRapid.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Local\...\valinevp.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\tricar.exe, PE32+ 7->34 dropped 36 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->36 dropped 38 3 other files (none is malicious) 7->38 dropped 15 valinevp.exe 3 18 7->15         started        20 tricar.exe 4 7->20         started        76 Query firmware table information (likely to detect VMs) 10->76 78 Hides threads from debuggers 10->78 80 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->80 signatures5 process6 dnsIp7 42 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 15->42 44 192.168.2.1 unknown unknown 15->44 28 C:\Users\user\AppData\Local\...\pwwfiua.vbs, ASCII 15->28 dropped 46 Antivirus detection for dropped file 15->46 48 Query firmware table information (likely to detect VMs) 15->48 50 May check the online IP address of the machine 15->50 56 2 other signatures 15->56 22 wscript.exe 12 15->22         started        30 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 20->30 dropped 52 Hides threads from debuggers 20->52 54 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->54 26 IntelRapid.exe 20->26         started        file8 signatures9 process10 dnsIp11 40 iplogger.org 88.99.66.31, 443, 49733 HETZNER-ASDE Germany 22->40 66 System process connects to network (likely due to code injection or exploit) 22->66 68 May check the online IP address of the machine 22->68 70 Query firmware table information (likely to detect VMs) 26->70 72 Hides threads from debuggers 26->72 74 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->74 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8b2d7766554c5e276f4dcd011f0856603dc8b42895ba60c1e0fba270df616ee/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 23:29:42 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0822897c3336073faf73fa391193ea15f55de51aa36d63433a9e794127c34576
DanaBot
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
DanaBot
81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
DanaBot
88b21d6bda07db2097615a88062328006f0c10d199d4fc5e50483d6fd6abe622
DanaBot
9c183327a52687e89969b39d6e099f239161ce9876af0f8da666eb5e55c238c3
DanaBot
9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876
DanaBot
aa88fc6977bf02c959ffa6865b99eeee8c1735001f824d1bbcc4ff01d93fbb74
DanaBot
bff3d8677d0c866b3fa47a2176ba05c9ae03cc215794896f2ef922a1aa037097
DanaBot
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
DanaBot
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
DanaBot
+ 5'562 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/210923-m6vbjshedq/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
23.254.144.209:443
192.236.194.86:443
142.11.192.232:443
Unpacked files
SH256 hash:
60dbf025023a4c58e34779490447d653f3a71a95c2f658945d0ad1ebd4230f6d
MD5 hash:
17787c026fc7577ec4af231009dfb8ab
SHA1 hash:
6857e76233cd89b14fa3d9b7d77fa6bfb12f9761
Link:
https://www.unpac.me/results/a193f148-12e1-4aa8-b96d-3cda56bccbac/
SH256 hash:
c8b2d7766554c5e276f4dcd011f0856603dc8b42895ba60c1e0fba270df616ee
MD5 hash:
b8a2adb46798ea4ac7961ed4af59bd08
SHA1 hash:
692b7a37755903032732cb697ee8f06335bbcded
Link:
https://www.unpac.me/results/a193f148-12e1-4aa8-b96d-3cda56bccbac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8b2d7766554c5e276f4dcd011f0856603dc8b42895ba60c1e0fba270df616ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe c8b2d7766554c5e276f4dcd011f0856603dc8b42895ba60c1e0fba270df616ee

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/190729/
  
URLhaus
https://urlhaus.abuse.ch/url/1640607/
  
Delivery method
Distributed via web download

Comments