MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f60d2c6bda016a6fd0d165a5ee38ed4dceb39c9835ce0dfb6d5b1ddf31dd6f5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f60d2c6bda016a6fd0d165a5ee38ed4dceb39c9835ce0dfb6d5b1ddf31dd6f5e
SHA3-384 hash: e9725df810d7f876a1eceb80539950828cedfc61ccbaa6ecee7752fc23b23608f4e4f3fd47c57c22633b24774b13f233
SHA1 hash: 938c767a5b123fcf4491ad1bbfd98038aa8800fd
MD5 hash: 8f1a74f261b78c3df1a66ddc46cfab10
humanhash: illinois-quiet-lactose-cold
File name:8f1a74f261b78c3df1a66ddc46cfab10
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'764'352 bytes
First seen:2021-12-17 07:47:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44c00401a20ce3d35e55418765dd0985 (4 x RedLineStealer, 2 x DanaBot)
ssdeep 49152:d9c0qngHhvW+Jzdl5Y5TwLWbj0tD3QerfxI:3cfngBvW+JBwwS/0tDQw
TLSH T19485237769ABD6B1CBDB6BB16E189BA5D93F26315A2145933600133E1E31EAC40F370C
File icon (PE):PE icon
dhash icon 4839b234e8c38c90 (9 x RaccoonStealer, 4 x RedLineStealer, 4 x Smoke Loader)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214744/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2355/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61bc410acb311996709e596c/reports/ecd2896f-6e45-4120-a559-807dddb222c5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e68440fe-a803-4037-8d26-2f4c08b187e0
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908942
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f60d2c6bda016a6fd0d165a5ee38ed4dceb39c9835ce0dfb6d5b1ddf31dd6f5e/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 08:12:43 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ygsy262afvg7ugrmws64ohnjxhlhheygxha363nlmo56mo5n5pa._file
Verdict:
malicious
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:4 banker trojan
Link:
https://tria.ge/reports/211217-jnwj4sdcg4/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
142.11.244.223:443
23.106.122.139:443
Unpacked files
SH256 hash:
8e0b5a77abc772f0d4ad4fbc60806e44c15a6e5d6f8fb66b505353f048ecfb0c
MD5 hash:
ba23fcc3f0320e283734be51028a0453
SHA1 hash:
01dc6d64fc618fa32a9d2d69f299dacdd42e3be2
Link:
https://www.unpac.me/results/30d48378-1bab-43af-a730-48a8b4e5325f/
SH256 hash:
cf486ceed34a65042ea8475ba045b1b72b002dd05fa31f259ceecfc36f5164bc
MD5 hash:
b4fff9ae8e0a3fa615195a1901e9868c
SHA1 hash:
b583d99c2b448ef7adf3e9919cf5269827b406f0
Link:
https://www.unpac.me/results/30d48378-1bab-43af-a730-48a8b4e5325f/
SH256 hash:
f60d2c6bda016a6fd0d165a5ee38ed4dceb39c9835ce0dfb6d5b1ddf31dd6f5e
MD5 hash:
8f1a74f261b78c3df1a66ddc46cfab10
SHA1 hash:
938c767a5b123fcf4491ad1bbfd98038aa8800fd
Link:
https://www.unpac.me/results/30d48378-1bab-43af-a730-48a8b4e5325f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f60d2c6bda016a6fd0d165a5ee38ed4dceb39c9835ce0dfb6d5b1ddf31dd6f5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe f60d2c6bda016a6fd0d165a5ee38ed4dceb39c9835ce0dfb6d5b1ddf31dd6f5e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1891554/
  
URLhaus
https://urlhaus.abuse.ch/url/1892545/
Cape
Cape
https://www.capesandbox.com/analysis/214744/

Comments


Avatar
zbet commented on 2021-12-17 07:47:35 UTC

url : hxxp://23.106.122.132/svchosts.exe