MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b
SHA3-384 hash: 8beef9224d9db180adee81dc8a0712dc4a12371836caf60594a30df4c82010ed9745fadd8a4897abbdb99771d69ac62a
SHA1 hash: e0f2ba1960f68f7abbc70a12f4bc7a5a2b706389
MD5 hash: 49f570914fa998c08360d461a5a3f03d
humanhash: oven-coffee-india-item
File name:49f570914fa998c08360d461a5a3f03d
Download: download sample
Signature DanaBot
Create hunting rule
File size:5'704'765 bytes
First seen:2021-12-15 11:23:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:5ZDqoO6OZ0plGhbood4x7uAIVJKJmqdgsAGdw01JjjJTPbBBYrELm9k6:5hO6QOuK1AJKA4aiJjjJToyM
Threatray 1'269 similar samples on MalwareBazaar
TLSH T1AF4633C29D554160C9E509B2913A3AFCE3A28EC106FCFA57F51A7BEDCBB27115C4224B
File icon (PE):PE icon
dhash icon b464c4f0e8e0d0cc (2 x DanaBot)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
468
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
49f570914fa998c08360d461a5a3f03d
Verdict:
No threats detected
Analysis date:
2021-12-15 11:33:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d6f355d-fe07-4985-b96e-b4491ae142f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214321/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2118/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed virus
Link:
https://www.filescan.io/uploads/61b9d05781d23237200305ed/reports/8362c60a-d872-452b-8e20-d2201cbf0d65/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0ebb8d15-6e71-424c-a0aa-54fba3fd3c6e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907811
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540293 Sample: hbQlo7Tz3a Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->51 53 5 other signatures 2->53 7 hbQlo7Tz3a.exe 25 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\palmusvp.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\oxgoad.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->27 dropped 29 3 other files (none is malicious) 7->29 dropped 10 oxgoad.exe 7 7->10         started        14 palmusvp.exe 3 18 7->14         started        process5 dnsIp6 31 C:\Users\user\AppData\...\DpEditor.exe, PE32 10->31 dropped 55 Antivirus detection for dropped file 10->55 57 Query firmware table information (likely to detect VMs) 10->57 59 Machine Learning detection for dropped file 10->59 17 DpEditor.exe 10->17         started        35 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 14->35 61 May check the online IP address of the machine 14->61 63 Hides threads from debuggers 14->63 65 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->65 20 wscript.exe 12 14->20         started        file7 signatures8 process9 dnsIp10 37 Query firmware table information (likely to detect VMs) 17->37 39 Hides threads from debuggers 17->39 41 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->41 33 iplogger.org 148.251.234.83, 443, 49746 HETZNER-ASDE Germany 20->33 43 System process connects to network (likely due to code injection or exploit) 20->43 45 May check the online IP address of the machine 20->45 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 11:24:22 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03555d8ea739df664c3eb88e62a30e7c590233eff39c2dfe7f72bd717eb3d716
DanaBot
075811c1b041821aa0902e5035ab2177e6c97c451896ee954d98486d049face6
DanaBot
108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4
DanaBot
12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba
DanaBot
41c2bbd61ad11d1fd1e1c8771edd92d1ab5df475c65764c2c5153f6afef84894
DanaBot
79eb109f62c883549a6a2b1dbe9428efcc66ca8dcf57a91b87f88d08499b6369
DanaBot
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
DanaBot
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
DanaBot
d7b4b6a43396314d34f68e01bb1dd58a673c97519318f6dd67ee46acace6191e
DanaBot
dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0
DanaBot
+ 1'259 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker evasion themida trojan
Link:
https://tria.ge/reports/211215-nhp8cshdd5/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
d391ade2b38f842678d82adfd41ffadcc6b6e100df944fc4171987e2581c612d
MD5 hash:
3f1ca1c23dc083306ea3f4dcde1fb98c
SHA1 hash:
c39bd8232fc94fa566c25b4c1867a1747ac1364a
Link:
https://www.unpac.me/results/610c1f0f-0230-452f-b404-bfea6e402eed/
SH256 hash:
fcb71ce9e93932018eb64cd39621a92312afb3850ad25beae0881b84e924c8e7
MD5 hash:
2c2dc7090a55bad3cafb573b300df6d6
SHA1 hash:
875196e81d336bb98ee4316ae2a977e41f39fd69
Link:
https://www.unpac.me/results/610c1f0f-0230-452f-b404-bfea6e402eed/
SH256 hash:
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b
MD5 hash:
49f570914fa998c08360d461a5a3f03d
SHA1 hash:
e0f2ba1960f68f7abbc70a12f4bc7a5a2b706389
Link:
https://www.unpac.me/results/610c1f0f-0230-452f-b404-bfea6e402eed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1887349/
Cape
Cape
https://www.capesandbox.com/analysis/214321/

Comments


Avatar
zbet commented on 2021-12-15 11:23:40 UTC

url : hxxp://ekuboh14.top/downfiles/newish.exe