MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75
SHA3-384 hash: 711b4cda8f2bdd3b183b6c3c224906afb5da928fb32c8c3571681ee8391f2783a5d3c4b2dc2fdc559de109d9d1df9792
SHA1 hash: 57871e28d04d19bb2f99cfacdc844073418c0d7c
MD5 hash: 845615bf78874fa55758ce6fa4b36084
humanhash: fifteen-mirror-table-happy
File name:SecuriteInfo.com.Trojan.Coins.Win32.5986.15363.1750
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'189'347 bytes
First seen:2021-04-08 15:56:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:2L714m4tF/05HPLfV+nw8YQArORyihNkVvUurQ0oqjW6ab:K71H4c5v5+vYQfyiND6ab
Threatray 113 similar samples on MalwareBazaar
TLSH 94452366BA8B4EB7F0B34E722524A5529973FC708731D33BB69039D8381D291E970772
Reporter SecuriteInfoCom
Tags:DanaBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64ebbca7f69233721df621f56d169ed2.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 16:06:27 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/8915a518-1c06-4d17-bd41-63d6e931dea2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133257/
Detection(s):
SecuriteInfo.com.Trojan.Coins.Win32.5986.15363.1750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Sending a UDP request
Running batch commands
Launching cmd.exe command interpreter
DNS request
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/670468
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384177 Sample: SecuriteInfo.com.Trojan.Coi... Startdate: 08/04/2021 Architecture: WINDOWS Score: 92 58 Multi AV Scanner detection for submitted file 2->58 60 Detected unpacking (changes PE section rights) 2->60 62 Detected unpacking (overwrites its own PE header) 2->62 64 4 other signatures 2->64 10 SecuriteInfo.com.Trojan.Coins.Win32.5986.15363.exe 19 2->10         started        13 SmartClock.exe 2->13         started        15 SmartClock.exe 2->15         started        process3 file4 46 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 10->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->50 dropped 17 vpn.exe 7 10->17         started        19 4.exe 4 10->19         started        process5 file6 22 cmd.exe 1 17->22         started        25 dllhost.exe 17->25         started        44 C:\Users\user\AppData\...\SmartClock.exe, PE32 19->44 dropped 27 SmartClock.exe 19->27         started        process7 signatures8 66 Submitted sample is a known malware sample 22->66 68 Obfuscated command line found 22->68 70 Uses ping.exe to sleep 22->70 72 Uses ping.exe to check the status of other devices and networks 22->72 29 cmd.exe 3 22->29         started        32 conhost.exe 22->32         started        process9 signatures10 74 Obfuscated command line found 29->74 76 Uses ping.exe to sleep 29->76 34 PING.EXE 1 29->34         started        37 Osato.exe.com 29->37         started        39 findstr.exe 1 29->39         started        process11 dnsIp12 52 127.0.0.1 unknown unknown 34->52 54 192.168.2.1 unknown unknown 34->54 41 Osato.exe.com 37->41         started        process13 dnsIp14 56 ntEcUNaDbasrbEJM.ntEcUNaDbasrbEJM 41->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-08 14:59:08 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
10c0f1080840ab3cf7fd69f80a6b821a6f95cb7b57a7e43dfb757e9df598c18a
DanaBot
135df51a2c255ab6c3614bc8ed4a32fdffbdf149e1f290bd845f08d8b77ec39a
DanaBot
26e294b557033c04b7a9039b6e2ef1ec35f8c3ec1a06be3d7b73ddd3ff10395c
DanaBot
39a27d15f3d6175331a974825a440d7475187bae0c133a48a1a5155b49a82537
DanaBot
76386b4c6c46b36b26d9ce00df7982d461bcd1a7586dde62cd831349d0aa3a4b
DanaBot
7bc379fd5f28ca0016ae282820d517d7719cad2742a22968cc3c9d3434ff469d
DanaBot
7c902b5da243bec90b83e4d68e4e8c097d1e36e9d9508c5095023f801440d977
DanaBot
80d4bc601ab1473cb21fc90f190ef7c00ffaa44705c170e6b01bac62eb7c7fd3
DanaBot
941d3312f126a5104966af87ce58d9be63bbaf63216723508d9dd2d2f241fea7
DanaBot
e784ba83c1139d2d9880a2cd5546d1d7716694452ea84367fa9c238f97d5e5ad
DanaBot
+ 103 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210408-syvyfjckc6/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
Danabot
Malware Config
C2 Extraction:
23.106.123.249:443
23.106.123.141:443
23.254.225.170:443
134.119.186.216:443
Unpacked files
SH256 hash:
ff82edcf419c6f1b3585d2e54d2ca817e541a2d363062d1ef27d6d0c221ba119
MD5 hash:
6c59c59ea6a8b8d922646fbce1572c7a
SHA1 hash:
601d90a70c073c3d4cd920349286dbf545b2093d
Link:
https://www.unpac.me/results/8810d4ae-3541-43cb-a939-7f95d50ced8d/
SH256 hash:
336bb583bb5232922f553410e89a877cdcba20d275c15592e89194c7e580b211
MD5 hash:
f8b6429c58ab39aaf9dc299158039061
SHA1 hash:
853856af0448655138ed2aea2da697e1ac751382
Link:
https://www.unpac.me/results/8810d4ae-3541-43cb-a939-7f95d50ced8d/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/8810d4ae-3541-43cb-a939-7f95d50ced8d/
SH256 hash:
ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75
MD5 hash:
845615bf78874fa55758ce6fa4b36084
SHA1 hash:
57871e28d04d19bb2f99cfacdc844073418c0d7c
Link:
https://www.unpac.me/results/8810d4ae-3541-43cb-a939-7f95d50ced8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
HiddenRun
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe ec7db23abe0578993c032c1c962db58d72bc1cdcb8401d33e60e92f784defb75

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1104280/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1104407/
Cape
Cape
https://www.capesandbox.com/analysis/133257/

Comments