MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4af0c3cc5fb2391aa0746e5b6d35fccc4141f1e63e10e9a908d250c6ae75ebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	d4af0c3cc5fb2391aa0746e5b6d35fccc4141f1e63e10e9a908d250c6ae75ebf
SHA3-384 hash:	33fbe086110251112ff5e92daaabc34bad559bcf23f75c69bf57448ad62117f5caf7f55390feff4cb2a59df10ddb2a0b
SHA1 hash:	5e649d7e96644b26bbe9ac49885bab651d4e279a
MD5 hash:	67bfbb82f21c792ce7ee27d42e255823
humanhash:	sink-wisconsin-sink-hamper
File name:	67bfbb82f21c792ce7ee27d42e255823.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'229'824 bytes
First seen:	2021-07-31 16:22:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eb2f40e51535c668cf15c01b7c764af0 (2 x DanaBot, 1 x RedLineStealer)
ssdeep	24576:iAVpRRCWelZGpxl2T0Qb8+LlkDZUfFrzVLDKBvgHNI:MDfGpx8b8ml7FrVDKBANI
Threatray	3'168 similar samples on MalwareBazaar
TLSH	T1AD451230AB90D039F4F752F455B9E369B82C7EA15B3450CF52D62AED16385E8AC3078B
dhash icon	ead8ac9cc6e68ea0 (38 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

851

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

67bfbb82f21c792ce7ee27d42e255823.exe

Verdict:

Malicious activity

Analysis date:

2021-07-31 16:24:01 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/5e5217e0-9df5-4412-a104-ab15581ff408

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175492/

Detection(s):

Win.Malware.Generic-9882834-0

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f29acef3-228a-4d2c-82d7-5e54cb1cd4c5

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824940

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d4af0c3cc5fb2391aa0746e5b6d35fccc4141f1e63e10e9a908d250c6ae75ebf/

Threat name:

Win32.Backdoor.Mokes

Status:

Malicious

First seen:

2021-07-31 06:51:53 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2sxqypgf7mrzdkqhi3s3nu27ztcbihy6mpqq5guqrusqy2xhl27q._file

Verdict:

unknown

DanaBot

69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6

DanaBot

853ece062f75bc68b24c5ee05093b3c344787fbbeba3006146e1b1186738dabb

DanaBot

8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047

DanaBot

8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58

DanaBot

b48cf1854b8ff73a0bb9d4e54b5811ea3ac7a5d3e0c6c57f8825a4de396f36cc

DanaBot

c3cb419c2c74276267a476c49fbda1b8e7700cbf03de07e4bf46523b095bbe2e

DanaBot

d876e1d5484e794c97573bb5e21ccd4cbb0d82abb2af83c2e4bb765caad8d43e

DanaBot

dab48eb20191f37e19aed12dc58640ab40957cec26dc3fa63a88f70decbd875c

DanaBot

+ 3'158 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210731-bjfykmlp6j/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Unpacked files

SH256 hash:

0fce6ee0dd14be7c83b7a439e9a2fcf80d460a60f18482e1380815f18b94dc73

MD5 hash:

d18b4f6b2d0527ea70db5fdbe2ca69d2

SHA1 hash:

f4c8d38461853ff215df6cc2edfaf9c5d59399e8

Link:

https://www.unpac.me/results/b5c2c8d3-c95a-4e3f-a22c-a154bac0242e/

SH256 hash:

6f513427749d9e2bd24d41db121cc57ac41d42f8458201fcbd020813627b4aca

MD5 hash:

4232b4ad449f96f163005816ba20faab

SHA1 hash:

02827bb8566ed72d7cb1825dba2110c0b7cc4626

Link:

https://www.unpac.me/results/b5c2c8d3-c95a-4e3f-a22c-a154bac0242e/

SH256 hash:

d4af0c3cc5fb2391aa0746e5b6d35fccc4141f1e63e10e9a908d250c6ae75ebf

MD5 hash:

67bfbb82f21c792ce7ee27d42e255823

SHA1 hash:

5e649d7e96644b26bbe9ac49885bab651d4e279a

Link:

https://www.unpac.me/results/b5c2c8d3-c95a-4e3f-a22c-a154bac0242e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d4af0c3cc5fb2391aa0746e5b6d35fccc4141f1e63e10e9a908d250c6ae75ebf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe d4af0c3cc5fb2391aa0746e5b6d35fccc4141f1e63e10e9a908d250c6ae75ebf

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1461110/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1490082/

URLhaus

https://urlhaus.abuse.ch/url/1467030/

Cape

https://www.capesandbox.com/analysis/175492/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample