MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dec76ba0a613b70fe6a85f8eef108ca0df5ff8b024ecb0d1fec5294715ff5b8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments 1

SHA256 hash:	dec76ba0a613b70fe6a85f8eef108ca0df5ff8b024ecb0d1fec5294715ff5b8a
SHA3-384 hash:	b309897f023d9a5d53a7f8ec5b041f93243b60277a52a95dcf65b38511f3196eb316cf7a451acaae82c1f528503791dd
SHA1 hash:	d0f86a7b2876a022f12c647e89cfe4cabf03288b
MD5 hash:	38b6967e601ce8fe3006082d82d53388
humanhash:	three-four-idaho-jupiter
File name:	38b6967e601ce8fe3006082d82d53388
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'893'376 bytes
First seen:	2021-11-28 21:31:42 UTC
Last seen:	2021-11-28 23:35:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	035366dbe4451a3f903c8db46fbcc1d0 (2 x ArkeiStealer, 1 x DanaBot, 1 x Smoke Loader)
ssdeep	49152:IaipjqyFSTYUvffHsw34b99xCWwcENhvOHjI5pdM9Q:UDmHswopCWwcELwjE5
Threatray	7'769 similar samples on MalwareBazaar
TLSH	T1F2952214B7B0D030F6F316F4697A93D8792E3AB067B894CF62E406EA5A646E4DC30753
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

457

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

38b6967e601ce8fe3006082d82d53388

Verdict:

Malicious activity

Analysis date:

2021-11-28 21:35:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/68780697-cbf2-48ec-9522-3921c274e914

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.14660.13031.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61a3f556effcae2254f3ca40/reports/4ce3d972-f748-4651-8540-92dcf49dc6d7/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b07988e9-6f74-4e9d-aec8-b177b4fffb02

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/897539

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dec76ba0a613b70fe6a85f8eef108ca0df5ff8b024ecb0d1fec5294715ff5b8a/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-28 21:32:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=33dwxifgco3q7zvil6ho6eemudpv76fqetwlbup6yuuuofp7lofa._file

Verdict:

malicious

DanaBot

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

DanaBot

683b04f3c9da73d16abbe0fa72b538b5285bf33638d8ec2d426cf83c5844bbf1

DanaBot

910a3ea5bf49de9ba90a34c36825736573c3ab5bff42b4c74acd0d01944a0749

DanaBot

9e7e65a46ba0dfc2eb7e8b861aca709a94fa9f9bd969765b2e4864b6ee391507

DanaBot

a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848

DanaBot

aaba33fbea2a90c26205589be2807c7f04b571e5b410b06bc6555224392e18e7

DanaBot

cfcfe2a6f304ec880209f8b7a20ab8f58010dfbfbb13b8be419db3018f61d6cb

DanaBot

d25a0431bbf834e845cd7dea3fab2c09b0d116ccd2aa7f58f21ffb7ad81fb470

DanaBot

+ 7'759 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211128-1dmb5adga3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

142.11.244.223:443
23.106.122.139:443

Unpacked files

SH256 hash:

d19f5856ea48d979e7decef48189b676c14e4f29dd3d35fc713335cd25a5843d

MD5 hash:

4559ed2026a0a7b3597d83cfdf21469e

SHA1 hash:

b28788d3bf5b49f062b97e0e1771ce4a1fc46e94

Link:

https://www.unpac.me/results/8f2192e2-aabf-4987-8cf8-8f10c8deece8/

SH256 hash:

6aa90aef1fad968c4d84be984286efc3356fa893b0deaebb269d59d6532737a8

MD5 hash:

be7de22779386d1b6d151ed130596990

SHA1 hash:

52a41eb10e3e98c51d5b8e435a2f529c774d464d

Link:

https://www.unpac.me/results/8f2192e2-aabf-4987-8cf8-8f10c8deece8/

SH256 hash:

dec76ba0a613b70fe6a85f8eef108ca0df5ff8b024ecb0d1fec5294715ff5b8a

MD5 hash:

38b6967e601ce8fe3006082d82d53388

SHA1 hash:

d0f86a7b2876a022f12c647e89cfe4cabf03288b

Link:

https://www.unpac.me/results/8f2192e2-aabf-4987-8cf8-8f10c8deece8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dec76ba0a613b70fe6a85f8eef108ca0df5ff8b024ecb0d1fec5294715ff5b8a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe dec76ba0a613b70fe6a85f8eef108ca0df5ff8b024ecb0d1fec5294715ff5b8a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1772785/

URLhaus

https://urlhaus.abuse.ch/url/1829756/

URLhaus

https://urlhaus.abuse.ch/url/1829831/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-11-28 21:31:43 UTC

url : hxxp://152.89.247.172/report.exe