MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc8ecedc327784cd97120e221c7d85cad5ce6447ab181af99e71426117a5ea50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	dc8ecedc327784cd97120e221c7d85cad5ce6447ab181af99e71426117a5ea50
SHA3-384 hash:	58dc34c252feaa6d313e5552043f871e7978ed74688e3ed8e9227bd2b24e310e9199fed7edc6a428dd4da24744ca0ce5
SHA1 hash:	7798520b8e329d29652878dbacf54eab780adde9
MD5 hash:	c07f8b98e61d202f586fe4cf3b8b6aab
humanhash:	four-may-item-shade
File name:	c07f8b98e61d202f586fe4cf3b8b6aab.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'147'392 bytes
First seen:	2021-08-09 09:31:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e4703f951d731209d4eda0f101cdb509 (3 x RaccoonStealer, 1 x DarkVNC, 1 x CryptBot)
ssdeep	24576:u8AYfVlQ4LbKu2OtVv0HruNV+bVLQa98L8XtAGDIvGb69A:u8Jfkru3nvCQwQa9dXtNUv
Threatray	3'567 similar samples on MalwareBazaar
TLSH	T1AA3523B029F0F472E4AB06B0759DD602FB75AC247F94062726963E3D6D73FD053A920A
dhash icon	1036787872767e36 (4 x DanaBot, 3 x Smoke Loader, 2 x RaccoonStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

348

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c07f8b98e61d202f586fe4cf3b8b6aab.exe

Verdict:

Malicious activity

Analysis date:

2021-08-09 09:36:35 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/2fc1e183-91dd-4093-a984-08e7f68f532d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/177497/

Detection(s):

Win.Packed.Filerepmalware-9884745-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/110fe2be-1cef-45db-943f-b1067fab4c71

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/829186

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc8ecedc327784cd97120e221c7d85cad5ce6447ab181af99e71426117a5ea50/

Threat name:

Win32.Ransomware.Aicat

Status:

Malicious

First seen:

2021-08-09 01:04:43 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3shm5xbso6cm3fysbyrby7mfzlk44zchvmmbv6m6ofbgcf5f5jia._file

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210809-5mqkph35ma/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

142.11.244.124:443
142.11.206.50:443

Unpacked files

SH256 hash:

971185ac1a90b720446b38e8ae74ec5cd4809b09d1e1ed422883db977ddab316

MD5 hash:

978ca1ee18d48f8200390cb0df026c9a

SHA1 hash:

c5e7f7316504e2d80999a42b80d127774167ce88

Link:

https://www.unpac.me/results/40a5b078-00fa-4a67-bda3-1b93561a87d5/

SH256 hash:

3509c78450e4c8271d62f1a3b5a484f8f90a4af3b0f1a7144b951b09e4f1dd42

MD5 hash:

ccfd58dcbf3cff3d1e450ffc44f3f596

SHA1 hash:

58c062b087c81803a5fe065d1b2c2ec8c935bf85

Link:

https://www.unpac.me/results/40a5b078-00fa-4a67-bda3-1b93561a87d5/

SH256 hash:

dc8ecedc327784cd97120e221c7d85cad5ce6447ab181af99e71426117a5ea50

MD5 hash:

c07f8b98e61d202f586fe4cf3b8b6aab

SHA1 hash:

7798520b8e329d29652878dbacf54eab780adde9

Link:

https://www.unpac.me/results/40a5b078-00fa-4a67-bda3-1b93561a87d5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dc8ecedc327784cd97120e221c7d85cad5ce6447ab181af99e71426117a5ea50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe dc8ecedc327784cd97120e221c7d85cad5ce6447ab181af99e71426117a5ea50

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1495647/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1461110/

URLhaus

https://urlhaus.abuse.ch/url/1467030/

URLhaus

https://urlhaus.abuse.ch/url/1490082/

Cape

https://www.capesandbox.com/analysis/177497/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample