MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caed16de6a28d37209586d534576da0c094a681236e03a89d3c77548e6704fa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caed16de6a28d37209586d534576da0c094a681236e03a89d3c77548e6704fa4
SHA3-384 hash: 84b64d0b29d874ebfa07ebc9dc440ee9ddb7272527f30855f9aaccdb8c9cb9e1420a3e0c78c6e752d3449a7339556e08
SHA1 hash: 5b37bf61e33bd2f68d4c0d9ca107a8a95841832f
MD5 hash: ef0173a7113a3271964707c1a7521838
humanhash: aspen-mike-helium-glucose
File name:ef0173a7113a3271964707c1a7521838
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'893'888 bytes
First seen:2021-11-28 22:09:14 UTC
Last seen:2021-11-28 23:33:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 812deb7f7900a9634d9b5efcb5c75509 (1 x DanaBot, 1 x Smoke Loader, 1 x RedLineStealer)
ssdeep 24576:ZDnYC62QrVFsDRLefHl04Gfqov+DHz6T7960eORP7HnYJ/kzCKZpV2PRF1Xw6znR:iCQryLePl0lfqgy2Xc09zgfKQPR7XwP
Threatray 7'774 similar samples on MalwareBazaar
TLSH T1F595231462B0C039F4BB12F9983993AAA63F7DB0AB5454CF92D507E957386E2DD3034B
File icon (PE):PE icon
dhash icon b2dacaaecee6baa6 (23 x RedLineStealer, 22 x Stop, 13 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
468
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ef0173a7113a3271964707c1a7521838
Verdict:
Malicious activity
Analysis date:
2021-11-28 22:10:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc0f4617-585f-4b00-9395-a742dbcd4343

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.14695.16231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a3fe3fbbfd2af97cb85373/reports/569090cd-b179-4f51-9bc8-5c6ba95b7b32/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0d0eabf-2636-439f-a21a-71ccb00c9c6d
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/897548
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caed16de6a28d37209586d534576da0c094a681236e03a89d3c77548e6704fa4/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 22:10:21 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlwrnxtkfdjxeckynvjuk5w2bqeuu2asg3qdvcoty52urztqj6sa._file
Verdict:
malicious
Similar samples:
11da67d2ec898827753f51e2bd4fc8329a5b29f33bcd1494f996c311bac93e7c
DanaBot
18ae9ea1c1d71b33777c8772248580f17a2bcecf1aa0e8f71ec15d4b33d5253b
DanaBot
4e19a6c2fb2fd245e5c2097ff4d91aa86c4f49aaa4fbdab4cae046e3e02d0e52
DanaBot
8d2fc9db7c9f5dcf80faef24bf99af1a4553007d810981fef4026f3fce02a945
DanaBot
a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848
DanaBot
ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae
DanaBot
c0c908fdb5c67cd4ab56ab911320adaf68e4bc9a230a4a04eaf2cf6ae92443f4
DanaBot
f8f1569945e8adb87cb91509db4129d64a878863a347dbea1b21b70e1a21f973
DanaBot
+ 7'764 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211128-13dfhsagbk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Loads dropped DLL
Danabot
Danabot Loader Component
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
f0cc55b561e7a7581030c49511eb5650e4c0359a72be3586529aa1ebd93d5379
MD5 hash:
dbb5b0f921e4c92e5b8dc7b66bcc0184
SHA1 hash:
f1ca2695d46acf5024c7ab6ecb1781c483d2e403
Link:
https://www.unpac.me/results/92c92853-a5f4-4c8e-8c4f-1e083f38c278/
SH256 hash:
1b315d02dc0284d4b84d38a914b107f8824fd7cc479575387d838da0f0d4eda7
MD5 hash:
7417a2df54c07efbc9f690e8c1f505a9
SHA1 hash:
a7383803215d4c73eaa646381be20cd6de18f70e
Link:
https://www.unpac.me/results/92c92853-a5f4-4c8e-8c4f-1e083f38c278/
SH256 hash:
caed16de6a28d37209586d534576da0c094a681236e03a89d3c77548e6704fa4
MD5 hash:
ef0173a7113a3271964707c1a7521838
SHA1 hash:
5b37bf61e33bd2f68d4c0d9ca107a8a95841832f
Link:
https://www.unpac.me/results/92c92853-a5f4-4c8e-8c4f-1e083f38c278/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caed16de6a28d37209586d534576da0c094a681236e03a89d3c77548e6704fa4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe caed16de6a28d37209586d534576da0c094a681236e03a89d3c77548e6704fa4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1829831/
  
URLhaus
https://urlhaus.abuse.ch/url/1829756/
  
URLhaus
https://urlhaus.abuse.ch/url/1772785/

Comments


Avatar
zbet commented on 2021-11-28 22:09:15 UTC

url : hxxp://152.89.247.172/report.exe