MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150
SHA3-384 hash: 0f8b37737f8a5ee128ce7c1b1ae805a5eb9833ac08f47565f2ce92f3ee872f4b923bd04470b996f20b0a694b738d1f0b
SHA1 hash: 5e6205f57a65fed48134a9fb1de4277e63d4bcf3
MD5 hash: 90a89fc585f1c79b2629c9dd8520ddb9
humanhash: three-crazy-illinois-south
File name:90a89fc585f1c79b2629c9dd8520ddb9
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'121'792 bytes
First seen:2021-08-26 15:11:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 915c33ea178f4e014c52a0e08d0a2d56 (11 x RaccoonStealer, 1 x DanaBot, 1 x RedLineStealer)
ssdeep 24576:ZhzaKR5eJP1CM3jE4Rq8umW7DCk9n/C9m+t9eAU6:6KyJNXE4Y86CkdCI+tgAU6
Threatray 260 similar samples on MalwareBazaar
TLSH T1A135232476B1C4BBF8C112B5482ADA2469A338D35D50A2573F804A9E3D723C855FDEEB
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
90a89fc585f1c79b2629c9dd8520ddb9
Verdict:
Malicious activity
Analysis date:
2021-08-26 15:12:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/814d738b-6651-4104-b633-b8be030532d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182698/
Detection(s):
Win.Packed.Generic-9888554-0
Create hunting rule

Win.Packed.Generic-9888626-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for recently created files
Sending a UDP request
Launching a process
Creating a process with a hidden window
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78c16503-6dd0-4a43-9540-c9768d4df186
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
bank.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839875
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Enables a proxy for the internet explorer
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sets a proxy for the internet explorer
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472307 Sample: vR5DijfQHB Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 37 localhost 2->37 39 8.8.8.8.in-addr.arpa 2->39 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected DanaBot stealer dll 2->49 51 4 other signatures 2->51 10 vR5DijfQHB.exe 1 2->10         started        signatures3 process4 file5 35 C:\Users\user\Desktop\VR5DIJ~1.EXE.dll, PE32 10->35 dropped 61 Detected unpacking (changes PE section rights) 10->61 14 rundll32.exe 2 10->14         started        signatures6 process7 dnsIp8 43 23.229.29.48, 443, 49703, 49722 SERVER-MANIACA Canada 14->43 63 Bypasses PowerShell execution policy 14->63 65 Adds a directory exclusion to Windows Defender 14->65 18 rundll32.exe 10 20 14->18         started        22 WerFault.exe 23 9 14->22         started        signatures9 process10 dnsIp11 33 C:\Users\user\AppData\...\tmp80CA.tmp.ps1, ASCII 18->33 dropped 53 System process connects to network (likely due to code injection or exploit) 18->53 55 Tries to harvest and steal browser information (history, passwords, etc) 18->55 57 Sets a proxy for the internet explorer 18->57 59 2 other signatures 18->59 25 powershell.exe 25 18->25         started        27 powershell.exe 5 18->27         started        41 192.168.2.1 unknown unknown 22->41 file12 signatures13 process14 process15 29 conhost.exe 25->29         started        31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 15:12:12 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zosfjqqbl5qsnnfdtbh74loqm6hs2v44jwzzysu2zxtbkziyfia._file
Verdict:
malicious
Similar samples:
053542bbd9ab3b0436469e6d6ae5ff0b72e55f882a08e23d8ab481e1357d9528
DanaBot
423d9cfa5ac46d2ebb867f1b51dc844f4b823c4404c82b16ba611a1032040bf8
DanaBot
549d8c5e666fe53f6f368df5cd76424bca7ae9f8c07684e2ff19be04fb1815d1
DanaBot
58dd074be5e51ca44f0c67ed712b3bb7a1afe1723adccdf3491636fef7cf1a2d
DanaBot
987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016
DanaBot
bdd0c7cbefda7e06ae77b73b86f97ce92ec35be89de53681f6aa9c8b6f1467d0
DanaBot
c252d146aa7c269b0db0a7c05f094da93234e6ace6ad52bd33860edd4127b6eb
DanaBot
df03220ee207a1be64e9f25b74a78684ecd00fd75dd3e44e38e2b1678060e8be
DanaBot
e83e6702c3b59f275981161db3eabdb589051a4d36ad2d74c34a8fc45cb31a30
DanaBot
f43c76a153e03551456a21ebd15a07017fbabd51a1080752ddb5241f9d599782
DanaBot
+ 250 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker discovery trojan
Link:
https://tria.ge/reports/210826-apyflw4nqe/
Behaviour
Checks processor information in registry
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Blocklisted process makes network request
Danabot
Danabot Loader Component
Unpacked files
SH256 hash:
bf4e92de21142b4c286f271b98107b4e45694fb471b06bc5e2c6238f7a1d6770
MD5 hash:
1dd049c42bad583f2e2476b02adb0489
SHA1 hash:
d592d8efcebe762e558a7969c1733f46db3d5c3b
Link:
https://www.unpac.me/results/c0ac8815-e214-4672-8ab2-7221c281a02a/
SH256 hash:
6254b966cc6cbfc97a2f67e3047fc6500b400c212619bbf9adf614899f99bfd7
MD5 hash:
9ef18f9abf171179834dab9a37118045
SHA1 hash:
e99b33a0546517d65ddaa4748b8140e253c12810
Link:
https://www.unpac.me/results/c0ac8815-e214-4672-8ab2-7221c281a02a/
SH256 hash:
ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150
MD5 hash:
90a89fc585f1c79b2629c9dd8520ddb9
SHA1 hash:
5e6205f57a65fed48134a9fb1de4277e63d4bcf3
Link:
https://www.unpac.me/results/c0ac8815-e214-4672-8ab2-7221c281a02a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ee5d22a6100a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe ee5d22a6100afb0935a51cc27ff16e833c796abce26d9ce254d66f30ab28c150

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182698/
  
URLhaus
https://urlhaus.abuse.ch/url/1490082/
  
URLhaus
https://urlhaus.abuse.ch/url/1495647/
  
URLhaus
https://urlhaus.abuse.ch/url/1552888/

Comments


Avatar
zbet commented on 2021-08-26 15:11:19 UTC

url : hxxp://192.210.222.84/tepserv.exe