MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604
SHA3-384 hash: 1d12981e72f85a197d79485d9aea4eb175cb8a8892dcdc68d130a4b32e38aaa43005d85c66c6b18ea6af616ae2963c78
SHA1 hash: dd207bf59d41c15eae9f0f5025f0bee87b21f782
MD5 hash: cd40719a2a4b343268739b3d711437f4
humanhash: emma-april-artist-march
File name:cd40719a2a4b343268739b3d711437f4.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'332'928 bytes
First seen:2021-05-25 07:15:10 UTC
Last seen:2021-05-25 08:03:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646dea3e06ebecb15c5e764c7a01072a (2 x RaccoonStealer, 1 x Glupteba, 1 x DanaBot)
ssdeep 98304:lcCPKzOgzdQwOIRqVnaVQe7YWcY5V0wxv80aQaElYSGhVPmX9EFyIySCvkqq6+YL:fTnkQuYM07emTjPmtEz7m+6H
Threatray 77 similar samples on MalwareBazaar
TLSH 17563371BEA1C076F0BB27B04DABC1F8A52539505B1890DF23D2A7AD8A352D4AD7064F
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x86_x64_setup.exe
Verdict:
Malicious activity
Analysis date:
2021-05-24 21:14:13 UTC
Tags:
evasion opendir trojan loader stealer vidar rat redline phishing
Link:
https://app.any.run/tasks/e13afa90-e759-4557-be32-e22796b148e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161744/
Detection(s):
Win.Ransomware.Generickdz-9864351-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Launching a process
Creating a process with a hidden window
Modifying an executable file
Changing a file
Creating a file in the %temp% directory
Sending a custom TCP request
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791246
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 01:29:00 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6spsopz64qoix7v623ehza4tgwxg52h2uas7nk3hw3425qkwsyca._file
Verdict:
malicious
Similar samples:
37ac55376fbefed78ed34839833e8c8aa50aff9f8ae47cc70317e502c8e961f2
DanaBot
3cca783febeb041bf21545d727c32f37b7b94687022f0432a2fa5abe9316db5a
DanaBot
5397b6d592556e4d65cd442190cfbcba5b3d253b0fbfcc0a16f1c6f2b48a58c4
DanaBot
5ac9bb875dd59b311022ef7f641019e2f1e4e4dd70033b0229a4d7790d419019
DanaBot
640924cab9ff4e24cbb725eaca8c59de5f6e52378e45d2681ff3ef51cd6ff90f
DanaBot
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
DanaBot
9c8057521a53904ce86837434f6ca9075fea66d1c31914db6a6b49f68649191f
DanaBot
9d69fa18e31fc8945bff8b8a1d0b86700ca1618217372e46e4cc9f371032985c
DanaBot
e413c16c5d8e070393a692f4ac68ab57c4d61f57a47d5cea3233dc75e350865e
DanaBot
e71449bcddb6f0f1d7f79e10e5da56bf5a35898c7fd569be57e83a3c31c85f41
DanaBot
+ 67 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210525-aba349pbjs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:hunt_skyproj_backdoor
Create hunting rule
Author:SBousseaden
Reference:https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePasswor
Create hunting rule
Author:ditekSHen
Description:Detects PowerShell content designed to retrieve passwords from host
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1271412/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1261033/
Cape
Cape
https://www.capesandbox.com/analysis/161744/

Comments