MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3
SHA3-384 hash: b49c94b10509d987aec3f7e4f14b30773f429021f978f097da2df67af949947249d54a424b5cf6dd274972f6848fe989
SHA1 hash: bb056be49140db02baa6b03618d0fa4fdc14ea0f
MD5 hash: a6a8f833fdd0b5f4ee7b46714a3d20c7
humanhash: hot-skylark-uranus-equal
File name:a6a8f833fdd0b5f4ee7b46714a3d20c7.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:494'172 bytes
First seen:2021-07-23 06:21:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 12288:o0gLfdyZTg1Jr8H3/FSJ+k/w9nlfi7c7qC94iQd4:zG1ZcH3/F8+E8lfnqviQd4
Threatray 353 similar samples on MalwareBazaar
TLSH T1E8B41205FBE684B6FEE50DB44EB04321AD76BD704A31E72A12117DCDBCB1602AD2C75A
dhash icon eaa3bf9b0f37b300 (2 x DanaBot)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 06:15:26 UTC
Tags:
trojan stealer loader evasion opendir
Link:
https://app.any.run/tasks/6cd8a3f7-7a09-4671-af24-e78b42e9cf6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173533/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afb9f126-ed36-4733-b4dd-f00a0607b046
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820561
Signature
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453017 Sample: qI3RGyzfxL.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 10 other signatures 2->46 7 qI3RGyzfxL.exe 25 2->7         started        10 SmartClock.exe 2->10         started        12 SmartClock.exe 2->12         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->32 dropped 34 3 other files (none is malicious) 7->34 dropped 14 vpn.exe 3 19 7->14         started        17 4.exe 4 7->17         started        process5 dnsIp6 38 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 14->38 20 wscript.exe 12 14->20         started        26 C:\Users\user\AppData\...\SmartClock.exe, PE32 17->26 dropped 24 SmartClock.exe 17->24         started        file7 process8 dnsIp9 36 iplogger.org 88.99.66.31, 443, 49703 HETZNER-ASDE Germany 20->36 48 System process connects to network (likely due to code injection or exploit) 20->48 50 May check the online IP address of the machine 20->50 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 19:54:19 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zf6v2jsfzqycrcebk3ez3xwj2z6d5oebekk5n4x52p3odimc7grq._file
Verdict:
suspicious
Similar samples:
3688577e500b07cc1818d4c994651f791659efbf8ef3ff88329f25c4f65aba24
DanaBot
46c3c96de71f691a7247112fe80d61599ab91e8ead7db41cfab9af64357d10cc
DanaBot
64797d37b57cc5a503f914a94995b7c830e4b2b52e535b8b53363355b739b38f
DanaBot
6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4
DanaBot
70b76fcb6175f3a6b2ea31d55732900a43a28c6510ff442d14bcfc10bd1ea28b
DanaBot
7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8
DanaBot
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
DanaBot
acf5a0702538d69871c917a13a45effbcc2dd9161578b270a6b56f8447062dbf
DanaBot
+ 343 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210723-c7rt6jr9fn/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Malware Config
C2 Extraction:
142.11.244.124:443
142.11.206.50:443
Unpacked files
SH256 hash:
b8cbfaa6ae9da53bfa2f1fbf83836acff36ffa61006d8d6b0b9123e338517ba2
MD5 hash:
b9a05ac73118feb763a999a03aa15278
SHA1 hash:
82953d09c1050924d909598689b3738d07754a56
Link:
https://www.unpac.me/results/1495f3e2-f4f5-4efa-935f-0cfcfa6f5b6b/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/1495f3e2-f4f5-4efa-935f-0cfcfa6f5b6b/
SH256 hash:
c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3
MD5 hash:
a6a8f833fdd0b5f4ee7b46714a3d20c7
SHA1 hash:
bb056be49140db02baa6b03618d0fa4fdc14ea0f
Link:
https://www.unpac.me/results/1495f3e2-f4f5-4efa-935f-0cfcfa6f5b6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe c97d5d2645cc3028888156c99ddec9d67c3eb8812295d6f2fdd3f6e1a182f9a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1472789/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173533/

Comments