MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f66a32559056cd11d34d31ac48a4488de144daa4825d7292e85436601a177434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	f66a32559056cd11d34d31ac48a4488de144daa4825d7292e85436601a177434
SHA3-384 hash:	21e35476f6110958d0fd5e31bc8f58cc7ee19b24b7737e166816face851e8cf071b4ee10414d6b2281f62bae018c9564
SHA1 hash:	71d00feeed8336b19700586895f77600ba4adc9b
MD5 hash:	da526a5f36121bf56460ab151e7f3a2a
humanhash:	triple-colorado-two-oregon
File name:	da526a5f36121bf56460ab151e7f3a2a.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'066'496 bytes
First seen:	2021-09-23 21:25:09 UTC
Last seen:	2021-09-23 22:20:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5fbfc74c3ddccb96d094c58debd98462 (10 x RedLineStealer, 2 x Tofsee, 2 x RaccoonStealer)
ssdeep	24576:u2iYG4BM8YXKYkAV+27daFRAey7nQ0hO7GAI4XI:u2iZuVqUAVhaFyJz85XI
Threatray	5'667 similar samples on MalwareBazaar
TLSH	T11E3523A1F9E1C438C3E7D6741875B2A61E2B7C2B7A63E14C7A55228D0D717B0B621BC3
File icon (PE):
dhash icon	1072c293b0381906 (17 x RedLineStealer, 5 x Stop, 4 x DanaBot)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

da526a5f36121bf56460ab151e7f3a2a.exe

Verdict:

Malicious activity

Analysis date:

2021-09-23 21:27:58 UTC

Tags:

trojan danabot

Link:

https://app.any.run/tasks/790e50da-f165-4adf-9d77-8c2f41d68acf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/190907/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.25504.16916.UNOFFICIAL

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/25baea3a-af34-4622-8186-272d2fc5a651

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/856936

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f66a32559056cd11d34d31ac48a4488de144daa4825d7292e85436601a177434/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-23 17:34:26 UTC

AV detection:

16 of 27 (59.26%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:4 banker discovery spyware stealer trojan

Link:

https://tria.ge/reports/210923-z9732afda2/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Danabot

Danabot Loader Component

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

23.254.144.209:443
192.236.194.86:443
142.11.192.232:443

Unpacked files

SH256 hash:

0982a93289d51ab0936e4cf16351e35690ea8616cb06f0d3ef941af29aeb65bf

MD5 hash:

43226b4eef925a71fd4b82c41a54bfee

SHA1 hash:

f50453dfa4d95d87e646b61376a408ae50595474

Link:

https://www.unpac.me/results/66b03fb2-973c-4879-8d9b-c1899968f547/

SH256 hash:

c9ca2b6c766dbe31e4d31f52d2d37b8abdc9c7e599c178e14414fc04c55664bb

MD5 hash:

f1aba8d4c22c9b3e2a05c1ee441a8c4e

SHA1 hash:

d332cc240f0536bb4f37af4536a0f815b52c850b

Link:

https://www.unpac.me/results/66b03fb2-973c-4879-8d9b-c1899968f547/

SH256 hash:

f66a32559056cd11d34d31ac48a4488de144daa4825d7292e85436601a177434

MD5 hash:

da526a5f36121bf56460ab151e7f3a2a

SHA1 hash:

71d00feeed8336b19700586895f77600ba4adc9b

Link:

https://www.unpac.me/results/66b03fb2-973c-4879-8d9b-c1899968f547/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f66a32559056/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f66a32559056cd11d34d31ac48a4488de144daa4825d7292e85436601a177434

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe f66a32559056cd11d34d31ac48a4488de144daa4825d7292e85436601a177434

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1640605/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/190907/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample