MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec655b1ee274490143454b9d1d2cf42d4629bd17cdd6f64787b2568e1a444489. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	ec655b1ee274490143454b9d1d2cf42d4629bd17cdd6f64787b2568e1a444489
SHA3-384 hash:	798e37d6f62d2fba4c5631f272ee484e45438a8fbad0b12315c98b4ad4d5ae85301f7966b9114c078d8f1e8422fba643
SHA1 hash:	feead5c4db40dff36a62abc734fab5b61ff62cef
MD5 hash:	62533abfa160caa12b9965e649d90ce5
humanhash:	batman-east-kansas-low
File name:	62533abfa160caa12b9965e649d90ce5.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'101'824 bytes
First seen:	2021-08-16 11:41:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	675f985c31bb43cb925f7664d8fe06b7 (7 x Smoke Loader, 4 x DanaBot, 2 x RedLineStealer)
ssdeep	24576:ZOHAxlvO5FAJXrpO9zVQmw9ytO9ga478hsl1VnCBVEhyp:EAxBOXAJXrpOjQV9AP8cAcy
Threatray	3'929 similar samples on MalwareBazaar
TLSH	T11335236D111F9175C30133B04177DB5C99A66B20EA2354BF57A927AE8C30FF01AE6BB8
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

62533abfa160caa12b9965e649d90ce5.exe

Verdict:

Malicious activity

Analysis date:

2021-08-16 11:43:14 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/cde6c630-6955-4f72-a2fc-8ccf30cddb86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/179511/

Detection(s):

Win.Dropper.Jaik-9886409-0

Win.Malware.Filerepmalware-9886452-0

Win.Malware.Generic-9886453-0

Win.Malware.Filerepmalware-9886465-0

Win.Malware.Filerepmalware-9886466-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/14febcd7-60ea-4c73-9261-5bac09f13fce

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/833457

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec655b1ee274490143454b9d1d2cf42d4629bd17cdd6f64787b2568e1a444489/

Threat name:

Win32.Trojan.Caynamer

Status:

Malicious

First seen:

2021-08-15 19:26:02 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Verdict:

unknown

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/210816-bhkpvn2we2/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Loads dropped DLL

Blocklisted process makes network request

Danabot

Danabot Loader Component

Unpacked files

SH256 hash:

c8560362095307b958f3d61df607df75fae9564aa1aa9b2928f90bac5b3f3f2d

MD5 hash:

5b96bf11b91c3b2e249095a094ac7ddd

SHA1 hash:

f233b034a4edaf8effd63d628dad6768f22fd900

Link:

https://www.unpac.me/results/43fe9b61-1bca-46fd-92cd-3b4b4aa2d4d4/

SH256 hash:

d9e0fda10ef217cb8ac6f3827b66b8737ac48d1f576653d3f0d361807fa430fc

MD5 hash:

32e55ca84f2674bd31d771ac93326c1b

SHA1 hash:

d63e2759b8410f4ea8cd7e15179c4ae48758b784

Link:

https://www.unpac.me/results/43fe9b61-1bca-46fd-92cd-3b4b4aa2d4d4/

SH256 hash:

ec655b1ee274490143454b9d1d2cf42d4629bd17cdd6f64787b2568e1a444489

MD5 hash:

62533abfa160caa12b9965e649d90ce5

SHA1 hash:

feead5c4db40dff36a62abc734fab5b61ff62cef

Link:

https://www.unpac.me/results/43fe9b61-1bca-46fd-92cd-3b4b4aa2d4d4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec655b1ee274490143454b9d1d2cf42d4629bd17cdd6f64787b2568e1a444489

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe ec655b1ee274490143454b9d1d2cf42d4629bd17cdd6f64787b2568e1a444489

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1495647/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1461110/

URLhaus

https://urlhaus.abuse.ch/url/1490082/

Cape

https://www.capesandbox.com/analysis/179511/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample