MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3
SHA3-384 hash: 3784f06ce4581922af2ffde54c63029c010eaef6c2166619bca0c7823d3dbcd3fa6ca1fb3900a4444aa09e7094de4b5d
SHA1 hash: 3f7c3eaf46bf63aaa8562ebbfcea2d7aae2a495c
MD5 hash: c70150d4634ccf7bb7733ebdb4072f0f
humanhash: green-zulu-hawaii-magnesium
File name:c70150d4634ccf7bb7733ebdb4072f0f.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:4'489'026 bytes
First seen:2021-10-03 07:36:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:YZNbJZWu98KyknVQXIg+mK8aLks8Ssevxb9yTl1Jeg3V43qOLSdKw:YL6qdff8aLvNZv6TnIg3Ld
Threatray 509 similar samples on MalwareBazaar
TLSH T104263351EDF3E73CC9828BB6C593643939F5201DB962DE1B1301C8CE7754882AE8677A
File icon (PE):PE icon
dhash icon 60f48aaad6dc7060 (1 x ServHelper, 1 x DanaBot, 1 x Loki)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_exe_x86_x64.exe
Verdict:
Malicious activity
Analysis date:
2021-10-03 02:07:37 UTC
Tags:
stealer trojan loader evasion danabot
Link:
https://app.any.run/tasks/a49c1619-7810-45c8-8cea-dbe9f9485522

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194315/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Searching for the window
Creating a file in the Windows subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615c2ebfb95458900cdc6392/reports/1cdbac22-3033-42ba-89f7-5b67ee5671af/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f646395-6e79-42a9-9925-eea928315e2a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863372
Signature
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ping.exe to check the status of other devices and networks
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495800 Sample: Nv59S7J4me.exe Startdate: 03/10/2021 Architecture: WINDOWS Score: 100 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->79 81 5 other signatures 2->81 11 Nv59S7J4me.exe 25 2->11         started        14 IntelRapid.exe 2->14         started        17 IntelRapid.exe 2->17         started        19 rundll32.exe 2->19         started        process3 file4 57 C:\Users\user\AppData\Local\...\poteye.exe, PE32+ 11->57 dropped 59 C:\Users\user\AppData\Local\...\kelpie.exe, PE32 11->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->61 dropped 63 3 other files (none is malicious) 11->63 dropped 21 kelpie.exe 1 5 11->21         started        24 poteye.exe 4 11->24         started        115 Query firmware table information (likely to detect VMs) 14->115 117 Hides threads from debuggers 14->117 119 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->119 signatures5 process6 file7 89 Multi AV Scanner detection for dropped file 21->89 91 Machine Learning detection for dropped file 21->91 27 cmd.exe 1 21->27         started        30 dllhost.exe 21->30         started        55 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 24->55 dropped 93 Query firmware table information (likely to detect VMs) 24->93 95 Obfuscated command line found 24->95 97 Hides threads from debuggers 24->97 99 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->99 32 IntelRapid.exe 24->32         started        signatures8 process9 signatures10 103 Submitted sample is a known malware sample 27->103 105 Obfuscated command line found 27->105 107 Uses ping.exe to check the status of other devices and networks 27->107 34 cmd.exe 3 27->34         started        37 conhost.exe 27->37         started        109 Query firmware table information (likely to detect VMs) 32->109 111 Hides threads from debuggers 32->111 113 Tries to detect sandboxes / dynamic malware analysis system (registry check) 32->113 process11 signatures12 83 Obfuscated command line found 34->83 39 Grazia.exe.com 34->39         started        42 PING.EXE 1 34->42         started        45 findstr.exe 1 34->45         started        process13 dnsIp14 101 May check the online IP address of the machine 39->101 48 Grazia.exe.com 3 18 39->48         started        73 127.0.0.1 unknown unknown 42->73 65 C:\Users\user\AppData\...behaviorgraphrazia.exe.com, Targa 45->65 dropped file15 signatures16 process17 dnsIp18 67 ip-api.com 208.95.112.1, 49756, 80 TUT-ASUS United States 48->67 69 WwyqIYsDYRviWhalzpTBUVQzLDR.WwyqIYsDYRviWhalzpTBUVQzLDR 48->69 51 wscript.exe 12 48->51         started        process19 dnsIp20 71 iplogger.org 88.99.66.31, 443, 49757 HETZNER-ASDE Germany 51->71 85 System process connects to network (likely due to code injection or exploit) 51->85 87 May check the online IP address of the machine 51->87 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 19:31:54 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
047d4736df5de4b84ab8cab3b25006c867e673dfd177c26ab5c11137303d67dc
DanaBot
0639bd4b59aee980105058f699f00f86695d69b3556b23376f3e7846381c5cdb
DanaBot
07ac0d8c9b10f058c06b050e72bd95ed11387f00ff091ec2ad72f2b3cfb17753
DanaBot
27dafacac9139a5ff6c8d220b4d5882f2118a7b2cef742c58881f9d6c073269c
DanaBot
4338455a669ade5c278337dbfb3121c9083dacd051e0868c2a781fda61b27b36
DanaBot
750a39612c3144d2db98649fb9a0bf0e9e31f64a2ab2c2a3d2c69328e9e454af
DanaBot
7ca0173307cd237569f1ce9e04fab25b26e5186fb530bd5ad1445b950024a7d9
DanaBot
92882d39873b86b9febece1c865a245aabdd7d5c44da54931d25a6e3d9e25670
DanaBot
9bf81c41969262419c61235584c442c26bd4f40a38d5ebb60d9f3bc73a834a3b
DanaBot
cf1d928e2ff239cf44c0e9bd41598ec6e714ac1b1d1de020a5a726b26a62e90d
DanaBot
+ 499 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker evasion persistence themida trojan
Link:
https://tria.ge/reports/211003-jft2bafcaq/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.192.232:443
192.119.110.73:443
142.11.242.31:443
192.210.222.88:443
Unpacked files
SH256 hash:
175302d079991f7afc2804ef947d42f9ad1832b53356d0c80a966f300a143934
MD5 hash:
c7878821d05ee7725d91fc227135069e
SHA1 hash:
9744a5c1fa14a6881e7a0d0a1bb25acc80dfe002
Link:
https://www.unpac.me/results/39f04a38-9b68-4462-a313-1dd7ff60ad75/
SH256 hash:
5f4623f416d7d3abe346725ba05ca027db406376c381d28e35997f15718ddf1c
MD5 hash:
b6d956529d8f735ebf6edc268643cc6a
SHA1 hash:
8595157c6e061ba24f58ecfd8b7ba1ca8d199b8b
Link:
https://www.unpac.me/results/39f04a38-9b68-4462-a313-1dd7ff60ad75/
SH256 hash:
d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3
MD5 hash:
c70150d4634ccf7bb7733ebdb4072f0f
SHA1 hash:
3f7c3eaf46bf63aaa8562ebbfcea2d7aae2a495c
Link:
https://www.unpac.me/results/39f04a38-9b68-4462-a313-1dd7ff60ad75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe d23fdbd760b506644824da200eb06eb927e1c007098b2bf356c025f7b527b5e3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1651819/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194315/

Comments