MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 214e3cd3db2fd521d7a66d0e4ede79c152870ff0330f839d01d7cc141cdc0a14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 214e3cd3db2fd521d7a66d0e4ede79c152870ff0330f839d01d7cc141cdc0a14
SHA3-384 hash: 24db7bed65efd55b0284435e03ff8463b382043475d3174fadb8f7fa5032d4b2500a9a0d1f46f89c5baa8d8c5d455626
SHA1 hash: 2e6a5a180e757ef69402d20ae21c7dfc5cf96950
MD5 hash: 90ac2235ac7890cd0a7c39aedee49302
humanhash: magnesium-edward-arizona-spaghetti
File name:SecuriteInfo.com.Variant.Graftor.752710.8384.15318
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'453'952 bytes
First seen:2020-05-19 15:42:15 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash e8aa1309c58f3e5165a7048571442e0f (3 x Gozi, 2 x DanaBot)
ssdeep 98304:nnzMIqkvs94Kw3xRImj7SLOn6nouQ2Gs8c+j2wzzmghU3S:nz/Kw3x0OeG7s87z
Threatray 309 similar samples on MalwareBazaar
TLSH 8CF57B017A80E029E9A95AB3CE68D5FD02117D54DF7490DB30D4BF8FBA7BAE69830711
Reporter SecuriteInfoCom
Tags:DanaBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
777
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PrivateExeProte-11
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 16:35:33 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
1f5b47b9e255b731d6e019429e2b46ef1599fe64dcec7514c74184e9da62aef3
DanaBot
361ecee960829c871e1535a6231f3985b2e0b373aecf4bd8d5fea67e1c1834ec
DanaBot
504eb3ba676729d316c8f6639ae45b0be030124e0c3007e9edade3b57b49e708
DanaBot
7df6cffe72503e47063c3b80da0e2df2d3932fa50cb08daa8f0d0aa8ec7d8184
DanaBot
a5bd1ac8e6458e40e63cf558145dbd06cc2700d97f9ed3ae5a161b165ca6c035
DanaBot
aa85267b21a04aa673ddde02c00feda1b10782b86eaad3ebbe5617a8ad787774
DanaBot
c58594d414c882ce33499233c2f508789e5fa4d91b79ef01d763012e39d7b095
DanaBot
c8093c755d566699bd222c13ff5b01e952e31a1a2da2f37919550b1c3bd99833
DanaBot
e1eabf537423c05f282eba3b0c5bc70931767c23fb9bb2a014999a73e7656e4a
DanaBot
ec4171872384e62627b06976f6e513650087c00e8c42f70d6b9d29b54e18a8e6
DanaBot
+ 299 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/201109-4k59awxlm6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Blacklisted process makes network request
ServiceHost packer
Danabot
Malware Config
C2 Extraction:
172.81.129.196
54.38.22.65
192.99.219.207
51.255.134.130
192.236.179.73
23.82.140.201
45.147.228.92
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_danabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments