MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a4b4cc955f9e3b1154a6f1d425732c5e8785afe6deacfaa378efb9825e9e53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a4b4cc955f9e3b1154a6f1d425732c5e8785afe6deacfaa378efb9825e9e53
SHA3-384 hash: d3d627f8c19df3905d94e5e538b11f3bf1dc5728a7c53b6629c20ffd81739612d853c50cfb9e64af781f5d2362d4bf17
SHA1 hash: 07baf301c60c36b8f8f584bc0965e381116258ca
MD5 hash: 2b53aa4ae25e0a2aa60b1f8094d0d4b1
humanhash: florida-romeo-nitrogen-nineteen
File name:2b53aa4ae25e0a2aa60b1f8094d0d4b1.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:6'279'168 bytes
First seen:2021-06-06 07:00:13 UTC
Last seen:2021-06-06 07:38:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fb2c51671dc7c071d12a61379755b991 (1 x DanaBot, 1 x RaccoonStealer)
ssdeep 98304:9kT/ErAp/1tIppUd3siFqeEIwVTn14PP6usCKzs7XKlys3sjEt18vh3GMcX/8evp:GPdtIpppiFHEIwVTn14PPfNKm6l/yZsv
Threatray 98 similar samples on MalwareBazaar
TLSH C756334151FAC0B5F1B626F449B651BC4A1AFAD06316A0CF73C932DA03ADAE4C676373
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
537
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b53aa4ae25e0a2aa60b1f8094d0d4b1.exe
Verdict:
No threats detected
Analysis date:
2021-06-06 07:04:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8b51cb85-3bf9-4920-80e7-b8c1bd6f056b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DanaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164713/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37043071.26043.928.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Modifying an executable file
Changing a file
Creating a file in the %temp% directory
Sending a custom TCP request
Reading critical registry keys
Forced system process termination
Infecting executable files
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797657
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430053 Sample: 9l2fgn5tTv.exe Startdate: 06/06/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Antivirus detection for dropped file 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 5 other signatures 2->61 9 9l2fgn5tTv.exe 1 2->9         started        process3 file4 47 C:\Users\user\Desktop\9L2FGN~1.EXE.dll, PE32 9->47 dropped 71 Detected unpacking (changes PE section rights) 9->71 73 Detected unpacking (overwrites its own PE header) 9->73 13 rundll32.exe 9->13         started        signatures5 process6 signatures7 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->75 77 Bypasses PowerShell execution policy 13->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 13->79 16 rundll32.exe 8 24 13->16         started        process8 dnsIp9 49 184.95.51.183, 443, 49726 SSASN2US United States 16->49 41 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 16->41 dropped 43 C:\Users\user\AppData\...\tmpFBD3.tmp.ps1, ASCII 16->43 dropped 45 C:\Users\user\AppData\Local\...\Cookies, SQLite 16->45 dropped 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Tries to harvest and steal browser information (history, passwords, etc) 16->65 67 Infects executable files (exe, dll, sys, html) 16->67 21 powershell.exe 16 16->21         started        24 powershell.exe 17 16->24         started        26 schtasks.exe 1 16->26         started        28 schtasks.exe 1 16->28         started        file10 signatures11 process12 signatures13 69 Uses nslookup.exe to query domains 21->69 30 nslookup.exe 1 21->30         started        33 conhost.exe 21->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 conhost.exe 28->39         started        process14 dnsIp15 51 localhost 30->51 53 8.8.8.8.in-addr.arpa 30->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9a4b4cc955f9e3b1154a6f1d425732c5e8785afe6deacfaa378efb9825e9e53/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-06-05 16:27:34 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gsljtevl6pdwekuu3y5ijltfrpipbnp43pkz6vdpdx3tas6tzjq._file
Verdict:
malicious
Similar samples:
3cca783febeb041bf21545d727c32f37b7b94687022f0432a2fa5abe9316db5a
DanaBot
41bbf76b420c467a35a7a8c7a92eca26881d71f52613cc967a9325202c6a0755
DanaBot
57d0037d8050f8aa348753ab97c05050d0408e0b7b488f38f0361ae9e6a51419
DanaBot
5ac9bb875dd59b311022ef7f641019e2f1e4e4dd70033b0229a4d7790d419019
DanaBot
7b1c3945ee7336c1cf4231e0022ef3ba4cf06f5b0a9a9cf8fea3c8c2d346c760
DanaBot
97b7da2ab88a53b25084a5e5a6fa93a38485baa9fce0406ed6f4f041f35d88a2
DanaBot
9d69fa18e31fc8945bff8b8a1d0b86700ca1618217372e46e4cc9f371032985c
DanaBot
db8220cbd62d1046db60abc9af4d4218c1a5b4193e970f19fcec7e67d58a1292
DanaBot
e413c16c5d8e070393a692f4ac68ab57c4d61f57a47d5cea3233dc75e350865e
DanaBot
f49f273f3ee41c8bfebed6c87c839335ae6ee8faa025f6ab67b6f9aec1569604
DanaBot
+ 88 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot botnet:3 banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210606-wp7h6w1cba/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Drops desktop.ini file(s)
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
Unpacked files
SH256 hash:
396c859df9895a4d4095f32ff898e6b5730c10fe249a216ccdb64d2864b2f83a
MD5 hash:
4e4a8c08f1a00b57642778547f4854b6
SHA1 hash:
a51cba7d8b1a9835520a53912b62ba463d4b88f4
Link:
https://www.unpac.me/results/948c25c3-7164-4d1e-975e-73e92459d3b5/
SH256 hash:
8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418
MD5 hash:
7ac078a4c0a0c82464f31418b512cad7
SHA1 hash:
edafdb4391106484521c3a76890690ee525a9d68
Link:
https://www.unpac.me/results/948c25c3-7164-4d1e-975e-73e92459d3b5/
SH256 hash:
b5def887ac8abcc710dc7523d0929ee2b5a12370008b15a4572de41994651376
MD5 hash:
85c0a4482dc19d0d3fcb9f00a7274f75
SHA1 hash:
ae7e979fe6fd9b8a035e70cab5ec54ec5f56e41a
Link:
https://www.unpac.me/results/948c25c3-7164-4d1e-975e-73e92459d3b5/
SH256 hash:
f9a4b4cc955f9e3b1154a6f1d425732c5e8785afe6deacfaa378efb9825e9e53
MD5 hash:
2b53aa4ae25e0a2aa60b1f8094d0d4b1
SHA1 hash:
07baf301c60c36b8f8f584bc0965e381116258ca
Link:
https://www.unpac.me/results/948c25c3-7164-4d1e-975e-73e92459d3b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9a4b4cc955f9e3b1154a6f1d425732c5e8785afe6deacfaa378efb9825e9e53

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe f9a4b4cc955f9e3b1154a6f1d425732c5e8785afe6deacfaa378efb9825e9e53

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1271412/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1291080/
Cape
Cape
https://www.capesandbox.com/analysis/164713/

Comments