MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 064eefd591b90b242c39a55d00ab37a3055a8979544e5b14504fec12bdec687e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 064eefd591b90b242c39a55d00ab37a3055a8979544e5b14504fec12bdec687e
SHA3-384 hash: 860478d166f493f34a5d2120a41c12720ce5f3a0aa8450b4bb2398f6432ee6dde2a9e20a29db74a5c4aa738e515de9dc
SHA1 hash: 7eb9e399405c599238e67fb43cd58b2780456925
MD5 hash: d70f3c68b23be66166a1b1b486bb28a1
humanhash: lake-spring-wyoming-oranges
File name:d70f3c68b23be66166a1b1b486bb28a1.dll
Download: download sample
Signature DanaBot
Create hunting rule
File size:2'588'672 bytes
First seen:2021-10-29 05:32:51 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash cedd92f846db36afec299e785c7f27fc (1 x DanaBot)
ssdeep 49152:4gZziYTJ//YPt2Z/fZMdzUAOC5n+LlrxFTGWMKq:40ziYTWV2Z/f6AAOGarxFTGDv
Threatray 5 similar samples on MalwareBazaar
TLSH T1C3C54C2033B69812F273133598F3D0E09ED8BD6299B4AD4B70C23B5F049F6D29A5975E
Reporter abuse_ch
Tags:DanaBot dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for analyzed file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/17662ed4-b8ee-4e7f-8a98-d0cc8aab3001
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/879039
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511470 Sample: YmRQJGHRyz.dll Startdate: 29/10/2021 Architecture: WINDOWS Score: 76 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected DanaBot stealer dll 2->27 29 C2 URLs / IPs found in malware configuration 2->29 7 loaddll32.exe 2 2->7         started        process3 process4 9 rundll32.exe 1 7->9         started        12 rundll32.exe 1 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 1 7->17         started        dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 21 185.158.250.216, 443, 49747, 49748 M247GB Netherlands 12->21 19 rundll32.exe 1 15->19         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/064eefd591b90b242c39a55d00ab37a3055a8979544e5b14504fec12bdec687e/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 05:33:11 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=azho7vmrxefsilbzuvoqbkzxumcvvclzkrhfwfcqj7wbfppmnb7a._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2203d02a6aa593c823a8ad01a2b9fe25bd224832d04af253c7c1d0412d591756
DanaBot
2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
DanaBot
5ca2a5d2ec7cee822027375ef676891f3501dad244c504807b9daa6d87cf0ac1
DanaBot
6901d27fd099c6211ec944208df34dc1b75cfffb994bc84e9eeadb9b7c183166
DanaBot
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211029-f821vacfb3/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
185.158.250.216:443
194.76.225.46:443
45.11.180.153:443
194.76.225.61:443
Unpacked files
SH256 hash:
ed9f007e3f9f5903026b0ef215ea263eed03b83bdc47fbe54eb0d9202f138d81
MD5 hash:
3f4195f2b43f1c8d26f865c9bb83f546
SHA1 hash:
a72cc819682a4c998f84e8782ee3283e2010d4a9
Link:
https://www.unpac.me/results/9bf8ddbf-fd2c-4f62-affd-1d34ed9e0b5b/
SH256 hash:
064eefd591b90b242c39a55d00ab37a3055a8979544e5b14504fec12bdec687e
MD5 hash:
d70f3c68b23be66166a1b1b486bb28a1
SHA1 hash:
7eb9e399405c599238e67fb43cd58b2780456925
Link:
https://www.unpac.me/results/9bf8ddbf-fd2c-4f62-affd-1d34ed9e0b5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/064eefd591b90b242c39a55d00ab37a3055a8979544e5b14504fec12bdec687e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

DLL dll 064eefd591b90b242c39a55d00ab37a3055a8979544e5b14504fec12bdec687e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1707747/
  
Delivery method
Distributed via web download

Comments