MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f88e0b67f660fac89b18d3fa165e105fd3293735a104fb2b2fc9e4fbc5e8ecc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	f88e0b67f660fac89b18d3fa165e105fd3293735a104fb2b2fc9e4fbc5e8ecc5
SHA3-384 hash:	0bf836e51d45a9b2d04614565a4e6fdebde2a89bbec20d184e62f200f24f606cae49d6f3269d5d570a0fa03ca8d467a0
SHA1 hash:	b9eb3a0b4b57682ebd950b4418a240950850756b
MD5 hash:	cdde04dcbb4608116a3f579c10ca05c2
humanhash:	sad-pasta-mississippi-yellow
File name:	cdde04dcbb4608116a3f579c10ca05c2.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'147'392 bytes
First seen:	2021-08-08 15:21:55 UTC
Last seen:	2021-08-08 16:01:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3d213b98c14cd3c3750955e4d1b081cd (3 x DanaBot, 1 x TeamBot, 1 x Stop)
ssdeep	24576:N8oVxVB6tm3C5pXIYpTBgrLaHu3Id66E3s97:N8IxL6VNSrLd3JNg
Threatray	3'586 similar samples on MalwareBazaar
TLSH	T12C3523B22BB0F526F1330474345DDAA0FAA95C60D791C64327A4FEAF6E37B9017A4346
dhash icon	1036787872767e36 (4 x DanaBot, 3 x Smoke Loader, 2 x RaccoonStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

432

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cdde04dcbb4608116a3f579c10ca05c2.exe

Verdict:

Malicious activity

Analysis date:

2021-08-08 15:28:20 UTC

Tags:

installer trojan danabot

Link:

https://app.any.run/tasks/cbef703c-16eb-42a9-926e-141f1775df9e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/177259/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.3852.31100.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process with a hidden window

DNS request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/948cc7a4-94ff-40ee-aef4-8388a3fd4827

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

bank.troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/828818

Signature

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Enables a proxy for the internet explorer

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sets a proxy for the internet explorer

Sigma detected: Suspicious Script Execution From Temp Folder

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f88e0b67f660fac89b18d3fa165e105fd3293735a104fb2b2fc9e4fbc5e8ecc5/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-08-08 15:22:08 UTC

AV detection:

17 of 27 (62.96%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7chawz7wmd5mrgyy2p5bmxqql7jssnzvuecpwkzpzhspxrpi5tcq._file

Verdict:

malicious

Gathering data

Unpacked files

SH256 hash:

971185ac1a90b720446b38e8ae74ec5cd4809b09d1e1ed422883db977ddab316

MD5 hash:

978ca1ee18d48f8200390cb0df026c9a

SHA1 hash:

c5e7f7316504e2d80999a42b80d127774167ce88

Link:

https://www.unpac.me/results/49f3f096-a520-4e01-8418-a940af2f9ba4/

SH256 hash:

05abcd7b5e8e1a6f92b4af0fbe1caffe40056dee22e1a5d3bbe8cdac54b05e4b

MD5 hash:

407bd5693e2a22cb9ee5bb66a880019a

SHA1 hash:

4273b2795527be44f8dc09fddfface3f7d97adc2

Link:

https://www.unpac.me/results/49f3f096-a520-4e01-8418-a940af2f9ba4/

SH256 hash:

f88e0b67f660fac89b18d3fa165e105fd3293735a104fb2b2fc9e4fbc5e8ecc5

MD5 hash:

cdde04dcbb4608116a3f579c10ca05c2

SHA1 hash:

b9eb3a0b4b57682ebd950b4418a240950850756b

Link:

https://www.unpac.me/results/49f3f096-a520-4e01-8418-a940af2f9ba4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f88e0b67f660/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f88e0b67f660fac89b18d3fa165e105fd3293735a104fb2b2fc9e4fbc5e8ecc5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe f88e0b67f660fac89b18d3fa165e105fd3293735a104fb2b2fc9e4fbc5e8ecc5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1467030/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1490082/

URLhaus

https://urlhaus.abuse.ch/url/1461110/

URLhaus

https://urlhaus.abuse.ch/url/1495647/

Cape

https://www.capesandbox.com/analysis/177259/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample