MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9b82cf2205251f479681eafa5d117ba0b79a9501275e9f0210a9acbdb679057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c9b82cf2205251f479681eafa5d117ba0b79a9501275e9f0210a9acbdb679057
SHA3-384 hash:	c907b6df5cdae4fdfa9d366df4d019adfde08ecc87ba13041b7a47edc8d40af242c4a2611dbc0171a0905a41f0f3f0c5
SHA1 hash:	ecc1f533e6b0dfd7bcee6e75531fc5919115ed05
MD5 hash:	551660c6e0c076f97d58f9aa11b0efa8
humanhash:	leopard-lima-william-alabama
File name:	551660c6e0c076f97d58f9aa11b0efa8.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'148'416 bytes
First seen:	2021-08-09 18:35:27 UTC
Last seen:	2021-08-09 20:00:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9d007788623d69514f22ced610d164ef (3 x RedLineStealer, 2 x RaccoonStealer, 1 x Smoke Loader)
ssdeep	24576:mqau2QHbMtj3PsqwJb78Ae9lSH6TKHRE8XX0AH819lJN9:ml+HbMBsqwp772oHPHzH8B
Threatray	3'578 similar samples on MalwareBazaar
TLSH	T11C3523B03940F971F09718B4B45EE6E0F7696E106BA442871B613E2D9E3368163DE39F
dhash icon	10367878727e7636 (8 x RaccoonStealer, 4 x Smoke Loader, 2 x DanaBot)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

357

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

551660c6e0c076f97d58f9aa11b0efa8.exe

Verdict:

Malicious activity

Analysis date:

2021-08-09 18:42:09 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/6c2fb74b-117b-4289-9041-f308a99771f6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/177734/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.11341.1279.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/120b8fe3-ca11-4973-8955-bf6e456722c6

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/829568

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9b82cf2205251f479681eafa5d117ba0b79a9501275e9f0210a9acbdb679057/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-09 18:36:13 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zg4cz4rakji7i6lid2x2luixxifxtkkqcj26t4bbbknmxw3hsblq._file

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210809-99f2q3d5da/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

735bf0f0258d1bb30d7a93912b838cac71c8eab4145eb3e69845fe289ef753a5

MD5 hash:

2f910ee4632c5ddc720fe57fd58b89bb

SHA1 hash:

b4a329e7bdc40ca17aa60692de2fbeb823944d00

Link:

https://www.unpac.me/results/09df4c1b-b1b5-43fd-b870-e7f01820f2e3/

SH256 hash:

f85b1f214df3fe55885c5c4830224d0f7d049da3ee691deffd147196bfab93a9

MD5 hash:

aeb834c365d2f9c9e0076b5031fdec54

SHA1 hash:

24187cab88722c1992f2cebc7efde29edcc4f849

Link:

https://www.unpac.me/results/09df4c1b-b1b5-43fd-b870-e7f01820f2e3/

SH256 hash:

c9b82cf2205251f479681eafa5d117ba0b79a9501275e9f0210a9acbdb679057

MD5 hash:

551660c6e0c076f97d58f9aa11b0efa8

SHA1 hash:

ecc1f533e6b0dfd7bcee6e75531fc5919115ed05

Link:

https://www.unpac.me/results/09df4c1b-b1b5-43fd-b870-e7f01820f2e3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9b82cf2205251f479681eafa5d117ba0b79a9501275e9f0210a9acbdb679057

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe c9b82cf2205251f479681eafa5d117ba0b79a9501275e9f0210a9acbdb679057

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1490082/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1461110/

URLhaus

https://urlhaus.abuse.ch/url/1495647/

URLhaus

https://urlhaus.abuse.ch/url/1467030/

Cape

https://www.capesandbox.com/analysis/177734/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample