MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0
SHA3-384 hash:	52a13c34690b7518b2d8ed25f2892f1995168c7249a54e0494aee4753a16b74873ea2ce245e68ac57e4f3b425410cfec
SHA1 hash:	7187578b50928cf0abfe29ba5d6046dbf784f23e
MD5 hash:	5fc6c8be8a7b7e71f529c1cc118de457
humanhash:	red-bluebird-mobile-autumn
File name:	5fc6c8be8a7b7e71f529c1cc118de457.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'761'792 bytes
First seen:	2021-11-22 13:38:33 UTC
Last seen:	2021-11-22 15:49:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	13efcea70e0fb08d4f5ba0d5ad2ab09a (5 x RedLineStealer, 2 x DanaBot, 1 x ArkeiStealer)
ssdeep	49152:YzSJz8xNeu3kIamNwIIos8/OtH+b/pZb3:Ea4xAu0IaM5s8sH+b/
Threatray	7'414 similar samples on MalwareBazaar
TLSH	T10185332175E3C0B5D3271A741E788F52E4F63B31B974855D628A2E0B3F207C146ABB97
File icon (PE):
dhash icon	fcfcd4f4d4d4d8c0 (23 x RedLineStealer, 21 x RaccoonStealer, 6 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

448

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5fc6c8be8a7b7e71f529c1cc118de457.exe

Verdict:

Malicious activity

Analysis date:

2021-11-22 13:59:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/da48f8ca-603c-4a03-913f-b96b01862a6a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Jaik.49486.13170.5907.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619b9d7894a88037d2fe6c7c/reports/09e07fbb-df0c-4353-a59f-4e2797841789/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/926572b5-391d-4489-a483-b2b99aaf1c28

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/893861

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-22 13:39:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 27 (77.78%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211122-qxy5xsafa2/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Danabot

Malware Config

C2 Extraction:

142.11.244.223:443
23.106.122.139:443

Unpacked files

SH256 hash:

97fe0667786d5853ea0173d9a59c734d64d82931fe82ee2ca14efef69241ad21

MD5 hash:

0007ea875d592f1a9badc6c6859347d3

SHA1 hash:

8a785b2791225561464ae27faed59a2405a97368

Link:

https://www.unpac.me/results/694504d4-b0c4-4bcd-af9b-0667ef398768/

SH256 hash:

169f23ee544cf8a10f5f487bee86a83f23b0e59790f2845715dd3907061845fb

MD5 hash:

15dd4a8f24c47d65a9588128a20ba113

SHA1 hash:

6aa8f745f5d85df9bcaadf85f665d8e9a242f3a0

Link:

https://www.unpac.me/results/694504d4-b0c4-4bcd-af9b-0667ef398768/

SH256 hash:

df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0

MD5 hash:

5fc6c8be8a7b7e71f529c1cc118de457

SHA1 hash:

7187578b50928cf0abfe29ba5d6046dbf784f23e

Link:

https://www.unpac.me/results/694504d4-b0c4-4bcd-af9b-0667ef398768/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1772785/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/208191/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample