MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8ceceea071185485187862365097bbb02345c6519788db06c76d2286bec4efc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8ceceea071185485187862365097bbb02345c6519788db06c76d2286bec4efc
SHA3-384 hash: a7aeeecd8290ff67b78055b0652634547bb1fd432761accbdb4db086059fbf13e3007852a116c86b16fa3aec712da2cb
SHA1 hash: c38f07b26060cde49068ee6ca98a58e3cae1b375
MD5 hash: 199172dc2093263eed50e3f744859def
humanhash: wolfram-three-georgia-stream
File name:199172dc2093263eed50e3f744859def
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'238'716 bytes
First seen:2021-08-28 09:50:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:kijmOmv1ZSO0PgnloOKVEdKlfMeezNEfRmoIXLRn10GEDbsla5I:3qbv1ZRnlA2dKi9h5bwG7MI
Threatray 464 similar samples on MalwareBazaar
TLSH T14645334B7BFA4C26E3E50AB149F5725291FA2F370D30860BA7425F873600E55621ABDF
dhash icon 686c74f4c2e8e4e0 (4 x DanaBot, 3 x RaccoonStealer, 3 x RecordBreaker)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183048/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
DNS request
Sending a UDP request
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Enabling autorun by creating a file
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebb9629e-97f1-4f81-accd-39f85a30a95c
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840705
Signature
Delayed program exit found
Found malware configuration
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473136 Sample: 2pzJVr4u7m Startdate: 28/08/2021 Architecture: WINDOWS Score: 100 93 Found malware configuration 2->93 95 Multi AV Scanner detection for dropped file 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 5 other signatures 2->99 11 2pzJVr4u7m.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        18 rundll32.exe 2->18         started        process3 file4 71 C:\Users\user\AppData\Local\Temp\...\ptrv.exe, PE32 11->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\faer.exe, PE32 11->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->75 dropped 77 3 other files (none is malicious) 11->77 dropped 20 ptrv.exe 1 5 11->20         started        23 faer.exe 4 11->23         started        26 WerFault.exe 14->26         started        28 WerFault.exe 16->28         started        process5 file6 103 Multi AV Scanner detection for dropped file 20->103 105 Machine Learning detection for dropped file 20->105 30 cmd.exe 1 20->30         started        33 dllhost.exe 20->33         started        69 C:\Users\user\AppData\...\SmartClock.exe, PE32 23->69 dropped 107 Delayed program exit found 23->107 35 SmartClock.exe 23->35         started        37 WerFault.exe 9 23->37         started        39 WerFault.exe 20 9 23->39         started        41 WerFault.exe 9 23->41         started        signatures7 process8 signatures9 113 Submitted sample is a known malware sample 30->113 115 Obfuscated command line found 30->115 117 Uses ping.exe to sleep 30->117 119 Uses ping.exe to check the status of other devices and networks 30->119 43 cmd.exe 3 30->43         started        46 conhost.exe 30->46         started        48 WerFault.exe 35->48         started        process10 signatures11 109 Obfuscated command line found 43->109 111 Uses ping.exe to sleep 43->111 50 Sostenere.exe.com 43->50         started        53 findstr.exe 1 43->53         started        56 PING.EXE 1 43->56         started        process12 dnsIp13 101 May check the online IP address of the machine 50->101 59 Sostenere.exe.com 3 18 50->59         started        67 C:\Users\user\AppData\...\Sostenere.exe.com, Targa 53->67 dropped 81 192.168.2.4, 443, 49681, 49682 unknown unknown 56->81 file14 signatures15 process16 dnsIp17 83 ip-api.com 208.95.112.1, 49738, 80 TUT-ASUS United States 59->83 85 sLmenmIQFwSvOylTBAq.sLmenmIQFwSvOylTBAq 59->85 79 C:\Users\user\AppData\...\eevititqxfb.vbs, ASCII 59->79 dropped 63 wscript.exe 59->63         started        file18 process19 dnsIp20 87 iplogger.org 88.99.66.31, 443, 49739 HETZNER-ASDE Germany 63->87 89 System process connects to network (likely due to code injection or exploit) 63->89 91 May check the online IP address of the machine 63->91 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8ceceea071185485187862365097bbb02345c6519788db06c76d2286bec4efc/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 22:43:39 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
21264f137758d0bb2825cd6198b4ae8aedc2e7346c5bf3f84062c1cb326f023b
DanaBot
21b42e9aafdfd188999c8fc970e0efaca9e773b35fe8fb7fe8155849cebaf662
DanaBot
256ad361e3b197d08e734c3d116ae1311045cc11a9f7f7be4994ad9fb46a0ca0
DanaBot
59ffd2713fcc721ea5c57944cb6443be5061ff49ba76fa31e3ae4a75577a7da1
DanaBot
7316a53221fd947465957838ed65abe390dc884bf0aa63ea095b658ac275359c
DanaBot
a4ea700b81162fffa25eea3aefe0d4118601ae8acd0123f08e487c4c8bc0ad84
DanaBot
ba79511e07aa54335187ca44cd181736ffec00ad5436e3a1d1418ce5b743807d
DanaBot
+ 454 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker persistence trojan
Link:
https://tria.ge/reports/210828-azq51amx8j/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
192.210.222.81:443
23.229.29.48:443
5.9.224.204:443
192.255.166.212:443
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/05a38030-8d53-470b-83e8-64a2b6ee7486/
SH256 hash:
b941a1a6409c03efb52ed7874fa8bf012a9a1da0a9b465aa4945485a32d229a4
MD5 hash:
437ad383ca020a418bb3ded0c4b6f753
SHA1 hash:
0ee8b6ec315302482cf3de8def307adbdabb98b0
Link:
https://www.unpac.me/results/05a38030-8d53-470b-83e8-64a2b6ee7486/
SH256 hash:
37c489395d96460dcdcfd723d16ff520effa1ccb23a67eb74e728b12982e1b1c
MD5 hash:
08c0b6377a661849eeafc55ddba483d7
SHA1 hash:
002c4b034c3cea4035cad4abf7ecf0864876652a
Link:
https://www.unpac.me/results/05a38030-8d53-470b-83e8-64a2b6ee7486/
SH256 hash:
c8ceceea071185485187862365097bbb02345c6519788db06c76d2286bec4efc
MD5 hash:
199172dc2093263eed50e3f744859def
SHA1 hash:
c38f07b26060cde49068ee6ca98a58e3cae1b375
Link:
https://www.unpac.me/results/05a38030-8d53-470b-83e8-64a2b6ee7486/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8ceceea071185485187862365097bbb02345c6519788db06c76d2286bec4efc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe c8ceceea071185485187862365097bbb02345c6519788db06c76d2286bec4efc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1571975/
Cape
Cape
https://www.capesandbox.com/analysis/183048/

Comments


Avatar
zbet commented on 2021-08-28 09:50:13 UTC

url : hxxp://tobepw05.top/downfiles/lv.exe