MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124
SHA3-384 hash: ffd63d9789aeebb690162d406c3026fce7e371f3933d17bc8e46a8430d3a372e0f0d8829664b3848e872d64a233c0d4a
SHA1 hash: 30ba2ff291af1ee572f9eb9299b41d83157c1b83
MD5 hash: dba9d5c211d728da4b92e0064a445ecd
humanhash: moon-india-low-carpet
File name:dba9d5c211d728da4b92e0064a445ecd.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'327'959 bytes
First seen:2021-06-08 10:58:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:mE1Z3ax00Bk2a0daHph0FLaKMAtGMetTJnSo+fJPwmwxH7vJSog0SHv:f1Zudk2acaHphi76VZJnSoeJI7vJSovS
Threatray 186 similar samples on MalwareBazaar
TLSH 0D552399BFEAC137D1764C708992E9E155B2FC904857C21B3394BFEE3E32206482577A
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9bae907c90204ebf2ac85fe63e96ffb3422505631698c.exe
Verdict:
Malicious activity
Analysis date:
2021-06-08 07:16:03 UTC
Tags:
stealer trojan
Link:
https://app.any.run/tasks/8cf9eda2-19f5-4f59-8220-e5989b10a220

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165263/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
DNS request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798708
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431102 Sample: xHJrAVUIiy.exe Startdate: 08/06/2021 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Detected unpacking (changes PE section rights) 2->63 65 5 other signatures 2->65 10 xHJrAVUIiy.exe 25 2->10         started        13 SmartClock.exe 2->13         started        15 SmartClock.exe 2->15         started        process3 file4 45 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 10->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->49 dropped 51 3 other files (none is malicious) 10->51 dropped 17 vpn.exe 8 10->17         started        19 4.exe 4 10->19         started        process5 file6 23 cmd.exe 1 17->23         started        43 C:\Users\user\AppData\...\SmartClock.exe, PE32 19->43 dropped 67 Obfuscated command line found 19->67 26 SmartClock.exe 19->26         started        signatures7 process8 signatures9 69 Submitted sample is a known malware sample 23->69 71 Obfuscated command line found 23->71 73 Uses ping.exe to sleep 23->73 75 Uses ping.exe to check the status of other devices and networks 23->75 28 cmd.exe 3 23->28         started        31 conhost.exe 23->31         started        process10 signatures11 77 Obfuscated command line found 28->77 79 Uses ping.exe to sleep 28->79 33 PING.EXE 1 28->33         started        36 Esplorarne.exe.com 28->36         started        38 findstr.exe 1 28->38         started        process12 dnsIp13 53 127.0.0.1 unknown unknown 33->53 55 192.168.2.1 unknown unknown 33->55 40 Esplorarne.exe.com 36->40         started        process14 dnsIp15 57 rYHtYHrEKqvv.rYHtYHrEKqvv 40->57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-08 03:18:06 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
056cc0e43fd5b75d6aaa8ab8651394428b1751c538b92aaa088ee3ff79efc20f
DanaBot
4b21de4f5c03de8e7e85bbdc317bd1050ba7bce099c1ba1cafb949ccadff90a2
DanaBot
6f8ce60168331070f8ca906c9c5e4d53e22b9b72a57c6e0c65bf6f83979d310f
DanaBot
7893541b010d78ca63a1f443f01f7f4100f1782eabfa486d53191d53646dd150
DanaBot
834ccdd87931ab88f011372377befbafda51abccff557c7dd3e01682580716fb
DanaBot
9bae907c90204ebf2ac85fe63e96ffb3422505631698ce9165053ab0125d1d9a
DanaBot
b459692e802efcbc858497ef0d54eb5f30d2ae75e703d4cb85ce29d895adc911
DanaBot
e2627edaef3e465cadfb84b250bc0d47cef26af5d2334e5f49ab38d8f919b511
DanaBot
e5dae08e748e408a4a256bd0c5d216281596a20399ea0127ac35b1661248b3ea
DanaBot
f2a7cc00ce9933490e51df2d5df9e7b0b2165c73297a9fa8a99fbf51b85926b8
DanaBot
+ 176 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210608-jnav6951ga/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Malware Config
C2 Extraction:
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Unpacked files
SH256 hash:
d40eba69e5753854a7ea0831a11d1abc0b7beff26057ff7fc9ea2e2f4fa65e8a
MD5 hash:
8aefcd0a0d67ac543b0cf0ddc3a69db3
SHA1 hash:
521931c650e0d6d91ae53495e2e1f71d8489e91c
Link:
https://www.unpac.me/results/c1227a20-0de2-4ee8-9399-f40b80a75bf2/
SH256 hash:
f3b60fa1bd14b7818fa1e643162ea3b66f47c6895f37a3da1a811d20c2703e0b
MD5 hash:
886217e7f27bada6782d83ed345a9bee
SHA1 hash:
fbdaea4bddd71d42d1fb3e931cb1d71e0760092d
Link:
https://www.unpac.me/results/c1227a20-0de2-4ee8-9399-f40b80a75bf2/
SH256 hash:
b252be13b3ae072c4d37583238b03e86f6ca71c829a2cac31051097b5a102884
MD5 hash:
78a0e1531665f8a37ecf738e1cf96c97
SHA1 hash:
930b71820375a8e41dcd25298d4b1e9a506a3566
Link:
https://www.unpac.me/results/c1227a20-0de2-4ee8-9399-f40b80a75bf2/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/c1227a20-0de2-4ee8-9399-f40b80a75bf2/
SH256 hash:
d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124
MD5 hash:
dba9d5c211d728da4b92e0064a445ecd
SHA1 hash:
30ba2ff291af1ee572f9eb9299b41d83157c1b83
Link:
https://www.unpac.me/results/c1227a20-0de2-4ee8-9399-f40b80a75bf2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe d47844ec0804c45feddfb89791832c4040754a703e46454cf571a2d30ac83124

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1339400/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165263/

Comments