MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7ba71505cb245cf7f24e533bf20118d7c50c206ec8c907f66a84bb32b8c3d24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	d7ba71505cb245cf7f24e533bf20118d7c50c206ec8c907f66a84bb32b8c3d24
SHA3-384 hash:	0512013405851b4abf985769a53494a81bd209e768676c2db93e9c13fa2162ba4be27ef7a2679b59c133ed760b4b6e6a
SHA1 hash:	b239a2cc9964e0ed2606ebd2597e5382f1bd7f27
MD5 hash:	f667382190dc62fe9f06aaec42f12d8b
humanhash:	cola-missouri-island-mexico
File name:	f667382190dc62fe9f06aaec42f12d8b.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'186'816 bytes
First seen:	2021-08-22 15:02:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	535299e581f29afc654ac18a997959f4 (5 x RedLineStealer, 2 x RaccoonStealer, 1 x CryptBot)
ssdeep	24576:HhYEzdB1MLwtSvyQZrIE9dbSwWwigNz46s5swWG9T5eABq:HrB1TAvyQZsE7SgNznsVW0EAY
Threatray	4'274 similar samples on MalwareBazaar
TLSH	T1FD451230BAA4C138E1F701B4157DE3A9A6247A716F3014CB62C716EEA6772E4DD3079B
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

1'601

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f667382190dc62fe9f06aaec42f12d8b.exe

Verdict:

Malicious activity

Analysis date:

2021-08-22 15:05:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bc8ca538-9b2a-4a4c-89c4-cb6b51bd6265

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/181269/

Detection(s):

Win.Packed.Generic-9887643-0

Win.Packed.Generic-9887679-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/28ce0584-e1d6-47b7-a1c7-7eae73ea9e97

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/837088

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7ba71505cb245cf7f24e533bf20118d7c50c206ec8c907f66a84bb32b8c3d24/

Threat name:

Win32.Ransomware.Stop

Status:

Malicious

First seen:

2021-08-22 08:02:04 UTC

AV detection:

23 of 46 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=265hcuc4wjc467ze4uz36iarrv6fbqqg5sgja73gvbf3gk4mhusa._file

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210822-61v296d2ee/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

23.229.29.48:443
192.210.222.81:443

Unpacked files

SH256 hash:

fa8ec61f3c8916570719443d21e951d7448e8aed5dfec08d12630a9e2b0c0168

MD5 hash:

df22287112f5a87365dd26ddfec3e880

SHA1 hash:

9974f639e76a4936757c453eef7b075fae3a96a4

Link:

https://www.unpac.me/results/9e2c6ce8-fb9f-44b9-85ba-fc5e23c0b799/

SH256 hash:

d452a8356d08b39885ad7320217b4d31faf4f9cd0edfed4921905c87e218b520

MD5 hash:

1c1d2eb3a80c0506ee52cd00bcbcbd20

SHA1 hash:

40371b1fd2af5faa2ae7be014db3a2c84451189d

Link:

https://www.unpac.me/results/9e2c6ce8-fb9f-44b9-85ba-fc5e23c0b799/

SH256 hash:

d7ba71505cb245cf7f24e533bf20118d7c50c206ec8c907f66a84bb32b8c3d24

MD5 hash:

f667382190dc62fe9f06aaec42f12d8b

SHA1 hash:

b239a2cc9964e0ed2606ebd2597e5382f1bd7f27

Link:

https://www.unpac.me/results/9e2c6ce8-fb9f-44b9-85ba-fc5e23c0b799/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7ba71505cb245cf7f24e533bf20118d7c50c206ec8c907f66a84bb32b8c3d24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe d7ba71505cb245cf7f24e533bf20118d7c50c206ec8c907f66a84bb32b8c3d24

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1495647/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1490082/

URLhaus

https://urlhaus.abuse.ch/url/1552888/

Cape

https://www.capesandbox.com/analysis/181269/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample