MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f4d374479efa4ca4ac6893bcb791b1d2ed163ffb503a15c9ba1fa59b06509e3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
DanaBot
Vendor detections: 7
| SHA256 hash: | f4d374479efa4ca4ac6893bcb791b1d2ed163ffb503a15c9ba1fa59b06509e3d |
|---|---|
| SHA3-384 hash: | 7b13e24386e1b435bd5860d091a705eed8194c31e34a0f933580a82e36b207c5253dd250693dba070efe2af461dfccbb |
| SHA1 hash: | 4f51667bc89a76cf1c26c42f3feefa77d4fbdab5 |
| MD5 hash: | 9a3bb80e21a22b3f2579bc6e27dc065b |
| humanhash: | neptune-pennsylvania-michigan-jupiter |
| File name: | 9a3bb80e21a22b3f2579bc6e27dc065b.exe |
| Download: | download sample |
| Signature | DanaBot |
| File size: | 1'411'320 bytes |
| First seen: | 2021-05-20 15:19:19 UTC |
| Last seen: | 2021-05-20 17:13:22 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar) |
| ssdeep | 24576:zy1ZlN3Qd6K4HEhAOwyW16jXjNFijLCU5RTFURFA9zt6toP8txk0r97:W1ZzgkK4HEGOwT6jTNwjeU5hFd4KP8tz |
| Threatray | 203 similar samples on MalwareBazaar |
| TLSH | D76523DB7B85CE30D1F369741834D679186FFE2D6436C61A37926F9CB432A408428BA7 |
| Reporter |  abuse_ch |
| Tags: | DanaBot exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Unturned Manager.exe
Verdict:
Malicious activity
Analysis date:
2021-05-19 08:03:22 UTC
Tags:
opendir loader evasion trojan rat redline stealer vidar phishing raccoon
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
DNS request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.Sabsik
Status:
Malicious
First seen:
2021-05-18 23:55:35 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
27 of 29 (93.10%)
Threat level:
5/5
Verdict:
unknown
Similar samples:
+ 193 additional samples on MalwareBazaar
Result
Malware family:
danabot
Score:
10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Behaviour
Checks processor information in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks installed software on the system
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Danabot
Malware Config
C2 Extraction:
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [F0002.002] Collection::Polling
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0045] File System Micro-objective::Copy File
7) [C0046] File System Micro-objective::Create Directory
8) [C0048] File System Micro-objective::Delete Directory
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0050] File System Micro-objective::Set File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [E1510] Impact::Clipboard Modification
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process