MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments 1

SHA256 hash:	caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4
SHA3-384 hash:	06d0e91479d1d20527b7dc5d7752150df6df3b1cadd2f882a0795ba31ceabc6a05bea83214e60ae89ab66f1b2cf60bc7
SHA1 hash:	0af98a99a81e59ccc450872b15e5f857ce77f408
MD5 hash:	80893465004ba8821412c5815efad34b
humanhash:	lactose-failed-magnesium-texas
File name:	80893465004ba8821412c5815efad34b
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'076'736 bytes
First seen:	2021-08-15 11:43:11 UTC
Last seen:	2021-08-15 12:40:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b6eb307a53194f1a2629d22afffc5564 (4 x Smoke Loader, 3 x DanaBot, 2 x RedLineStealer)
ssdeep	24576:GeqrjrakGkowvldxnK2uWBnnB4YVApRXITalmjaw:MmkowvdK2nnnBudCf
Threatray	3'944 similar samples on MalwareBazaar
TLSH	T1CD352325B4D3C6A0D45230F44037CE6C923D2FA1D737499622983E2F5E763E894B7799
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

80893465004ba8821412c5815efad34b

Verdict:

Malicious activity

Analysis date:

2021-08-15 11:44:25 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/aebdfc2a-1b01-4c7a-8dd1-5ea4507e3a48

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/179353/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.27861.8302.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e9695979-927a-41f4-9b8d-3a420190f60f

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/833159

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-15 11:44:07 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210815-5ky3dpm9se/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

8af95e7b245deede697fbb9081551dd88610dfd72a0cba790c7c382c29f99ccc

MD5 hash:

cfc25f6127c1542eee376a6b9fb0d3d9

SHA1 hash:

cf1c89eba15320765f2b6ebced98edd77ed67a6e

Link:

https://www.unpac.me/results/14197fc0-ff1e-4e54-9713-77f45101d4db/

SH256 hash:

0c00122d0b6055dcaa9f82ed9f9bf71d6738ef9a23e87494aa60f5dce12f759a

MD5 hash:

315b6edd5fca411ca0776f51dfdef12b

SHA1 hash:

a0d3f5ad6837fbed109f257c66f54814faf26f8d

Link:

https://www.unpac.me/results/14197fc0-ff1e-4e54-9713-77f45101d4db/

SH256 hash:

caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4

MD5 hash:

80893465004ba8821412c5815efad34b

SHA1 hash:

0af98a99a81e59ccc450872b15e5f857ce77f408

Link:

https://www.unpac.me/results/14197fc0-ff1e-4e54-9713-77f45101d4db/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/caeba1910c89/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe caeba1910c89f2122e91e962d96987421b822487681d549bcf9d3118d1b87bb4

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1495647/

URLhaus

https://urlhaus.abuse.ch/url/1490082/

URLhaus

https://urlhaus.abuse.ch/url/1461110/

Cape

https://www.capesandbox.com/analysis/179353/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-08-15 11:43:12 UTC

url : hxxp://104.144.69.55/tabhost.exe