MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88
SHA3-384 hash:	1f0485609a1a9fe0ed230cc2dd67376e8c763893df95342ffe520017fd5ac9d0d37696ac4069532e34a1f2bc87ea120b
SHA1 hash:	96f5b3f86999ce1fe274ce6481e5cfa48f252ff4
MD5 hash:	d870904882cf877c66b16dcd5e2572b3
humanhash:	cola-romeo-solar-tennessee
File name:	d870904882cf877c66b16dcd5e2572b3.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'234'944 bytes
First seen:	2021-10-18 20:11:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f2a068c255b00f177d7f883be0dc61e (1 x Loki, 1 x DanaBot, 1 x RaccoonStealer)
ssdeep	24576:R2xqCGbJPQwQaF8GqZBkPeNelbFpDf1WMO4tTZHa7D7/x1R:RKla+ZBkPeNw5ZTdZHa7J
Threatray	6'679 similar samples on MalwareBazaar
TLSH	T106451200A7E1C035F1B216F449B9A3BC6A3E7AB0AB3555CF62D51AEE06366D5EC30347
File icon (PE):
dhash icon	5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

439

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/198306/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.25513.11301.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/616dd514db358dd15ec0be75/reports/89dbbe84-7a60-4a88-8c85-c4b4df37e9b1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1eeb4a80-facf-4ca3-8999-2a6372922553

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/872645

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-10-18 20:12:05 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6jaad6k3oa3x4fngcu5yfepo3qpur2kvfcmmqxkz3kvt3qtk52ea._file

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker collection discovery spyware stealer trojan

Link:

https://tria.ge/reports/211018-yyt7csfecp/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

192.119.110.73:443
192.236.147.159:443
192.210.222.88:443

Unpacked files

SH256 hash:

4416683a6a803121b23f9b342c778f9b01f77f1604643939344d8dc7fb0a3816

MD5 hash:

8c3fa51c50ae3362ccbf575d1bcb05e4

SHA1 hash:

d1b026716e28ab09bb7b83150d74714808e4c63b

Link:

https://www.unpac.me/results/fadb19ae-0a6a-43a7-8527-e6b324b6fb52/

SH256 hash:

318bf590b0686455d19312d340307446110b145a939e2d47808e9c35ec080c12

MD5 hash:

a5e148d3af6e760af60c7fee57586bf7

SHA1 hash:

f5a9c178ffc7f184424c02937bd19659c1f593e0

Link:

https://www.unpac.me/results/fadb19ae-0a6a-43a7-8527-e6b324b6fb52/

SH256 hash:

f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88

MD5 hash:

d870904882cf877c66b16dcd5e2572b3

SHA1 hash:

96f5b3f86999ce1fe274ce6481e5cfa48f252ff4

Link:

https://www.unpac.me/results/fadb19ae-0a6a-43a7-8527-e6b324b6fb52/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe f24001f95b70377e15a6153b8291eedc1f48e9552898c85d59daab3dc26aee88

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1660814/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/198306/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample