MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e193dfbcdb555583dad685396a2fc9d628223f4d611d0f9a93bbda3ef5fff3e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e193dfbcdb555583dad685396a2fc9d628223f4d611d0f9a93bbda3ef5fff3e5
SHA3-384 hash: 5e27804f244285c9bc0625a12cd122700ff4fe3e735dd49b2d077cab02954b8c821a4ae74ed9c1e025aa856d60babf87
SHA1 hash: a530fd1f3ae7d889bdc12f1864b270f54dfac877
MD5 hash: 24feff91c304f8d87a72178f41238df3
humanhash: floor-vegan-monkey-spaghetti
File name:24feff91c304f8d87a72178f41238df3
Download: download sample
Signature DanaBot
Create hunting rule
File size:8'849'408 bytes
First seen:2022-10-22 13:17:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 620df7f1397c0c9696f14e115c5d0ca6 (6 x Smoke Loader, 3 x CoinMiner, 3 x RedLineStealer)
ssdeep 196608:MEGgf8oh2xtZegbSEvMNaz6Hvq46ny55i/Tx9tMs2JDz6lrSCFHBuUr:MoklegbBzzMm4i3Ws0DeZSCBBPr
TLSH T1219633A2BB01F961D79F987088E0F5D3E3B8A5105068D94D73701AEE6E703BA34B7395
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c5c4b594914 (3 x Smoke Loader, 1 x RecordBreaker, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24feff91c304f8d87a72178f41238df3
Verdict:
No threats detected
Analysis date:
2022-10-22 13:21:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d576e5c6-bab8-4157-b697-e6919bd3ff54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322666/
Detection(s):
Win.Dropper.Tofsee-9975524-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6353ed8a7f72336a8d62a589/reports/1616ff6f-d54d-431b-b271-55292d209467/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/205b9ef3-f023-4570-aa10-3e4364896522
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.expl
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1095516
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e193dfbcdb555583dad685396a2fc9d628223f4d611d0f9a93bbda3ef5fff3e5/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-10-22 14:15:01 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gj57pg3kvkyhwwwqu4wul6j2yucep2nmeoq7gutxpnd55p76psq._file
Verdict:
malicious
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker spyware stealer trojan
Link:
https://tria.ge/reports/221022-qjx1psddel/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Enumerates connected drives
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c4b30cf9-7e36-426c-a84e-abb3aad73015
Unpacked files
SH256 hash:
9bd2f10b8179e0f8a4302ac65acc806f0e1319f36ed7e93b629fb42fb625f5af
MD5 hash:
c2a3c887a9bf416d7c7792b5554f519a
SHA1 hash:
4625281de67c8f37f9bc22efb2f5ba8b9838e1b8
Link:
https://www.unpac.me/results/f420c428-64b1-4510-b193-f5032ccdc700/
SH256 hash:
e193dfbcdb555583dad685396a2fc9d628223f4d611d0f9a93bbda3ef5fff3e5
MD5 hash:
24feff91c304f8d87a72178f41238df3
SHA1 hash:
a530fd1f3ae7d889bdc12f1864b270f54dfac877
Link:
https://www.unpac.me/results/f420c428-64b1-4510-b193-f5032ccdc700/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e193dfbcdb55/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e193dfbcdb555583dad685396a2fc9d628223f4d611d0f9a93bbda3ef5fff3e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_danabot_cdf38827
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe e193dfbcdb555583dad685396a2fc9d628223f4d611d0f9a93bbda3ef5fff3e5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2381719/
Cape
Cape
https://www.capesandbox.com/analysis/322666/

Comments


Avatar
zbet commented on 2022-10-22 13:17:57 UTC

url : hxxp://146.19.173.208/lonjek.exe