MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e12472ea051ad0b73a8166ca2cb539168f89bfb1e12130a916df605a88423b31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e12472ea051ad0b73a8166ca2cb539168f89bfb1e12130a916df605a88423b31
SHA3-384 hash:	6956c47a02beffc05439441ed5fcfd843b732fedb6b3b76a2eaf37d2233975e2f54bff4decfa0f187bd100d902baa9ec
SHA1 hash:	6e10f407dc8faa4879bf2ab0f28fbeeada5d4033
MD5 hash:	44baf71c2210174d6a9de973f5f02c9f
humanhash:	charlie-october-fruit-diet
File name:	44baf71c2210174d6a9de973f5f02c9f.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'117'184 bytes
First seen:	2021-10-13 09:38:02 UTC
Last seen:	2021-10-13 11:24:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c8c17e47eb07afabbfe8e635fca5ad02 (3 x Smoke Loader, 1 x DanaBot, 1 x RedLineStealer)
ssdeep	24576:/bxjt/UTmNUew84fUfA+yo8T/6L0REVLCiH062cchSZH8f:7BN3FyYZCijIm6
Threatray	6'412 similar samples on MalwareBazaar
TLSH	T1823523547291C0BAC2C711BC4A35CBA45FBBB8A0967595CB371C393F2EE07C1A6A6335
File icon (PE):
dhash icon	81bcdcac9cccb484 (4 x RedLineStealer, 2 x DanaBot, 1 x CryptBot)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

44baf71c2210174d6a9de973f5f02c9f.exe

Verdict:

Malicious activity

Analysis date:

2021-10-13 10:07:21 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/fe13b31b-a3b3-4887-aba2-b682ad54ba32

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/197157/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.47164811.22820.19439.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/783d6f58-c344-4ad7-a3f2-87cf2babef92

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/869502

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e12472ea051ad0b73a8166ca2cb539168f89bfb1e12130a916df605a88423b31/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-10-12 19:46:53 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4eshf2qfdlilooubm3fcznjzc2hytp5r4eqtbkiw35qfvccchmyq._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211013-ll3lradhe2/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Malware Config

C2 Extraction:

192.119.110.73:443
192.236.147.159:443
192.210.222.88:443

Unpacked files

SH256 hash:

da6ae8a8934b78029d3a1668bf39f301249b42bb5361ac36a0667a91bcb6c07b

MD5 hash:

391cad1ce8d352de0140236b1eb447aa

SHA1 hash:

128ffa2bdd5b90fcffd476943cabe22b9c5ffab0

Link:

https://www.unpac.me/results/0f6a17e1-ee6a-499f-90ad-662d9e68b1a8/

SH256 hash:

bfde20ac430df73221856e5d1225e47a670e04da640f782616884a28b3978b18

MD5 hash:

573e473d4f3fc0c175f6247e7dbd4e04

SHA1 hash:

7afa860e2d62c4a9e11b64502ffd0a6933670af0

Link:

https://www.unpac.me/results/0f6a17e1-ee6a-499f-90ad-662d9e68b1a8/

SH256 hash:

e12472ea051ad0b73a8166ca2cb539168f89bfb1e12130a916df605a88423b31

MD5 hash:

44baf71c2210174d6a9de973f5f02c9f

SHA1 hash:

6e10f407dc8faa4879bf2ab0f28fbeeada5d4033

Link:

https://www.unpac.me/results/0f6a17e1-ee6a-499f-90ad-662d9e68b1a8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e12472ea051ad0b73a8166ca2cb539168f89bfb1e12130a916df605a88423b31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe e12472ea051ad0b73a8166ca2cb539168f89bfb1e12130a916df605a88423b31

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1660814/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Cape

https://www.capesandbox.com/analysis/197157/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample