MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91
SHA3-384 hash: f35a7dec466d9353b939bd1e268191897ec3e581a805bea6186674e6d5a374198cf51aa4217e19b713ba77debccab66b
SHA1 hash: f5b01b158aabbb104e53e6f4dc76a77b6a928848
MD5 hash: 875071870de4fad3639b04a6b7f3f3fb
humanhash: uniform-stairway-hotel-jupiter
File name:SecuriteInfo.com.Trojan.Siggen9.32682.17451.1260
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'132'544 bytes
First seen:2020-04-03 12:33:51 UTC
Last seen:2020-04-04 07:34:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash fe26e7b16e3f193a2724b0f29af64aaa (1 x DanaBot)
ssdeep 12288:ARujDnxc+np/5vP4AYiXm53JzVRt+Y0H7v3K58zMQmrxEAjMLe:ARu/nqWptP4AYiMMY0H7vK58Rm9EAYS
Threatray 291 similar samples on MalwareBazaar
TLSH 3F357D32F585A93EC19F16391933AB54853F7B226D278C5F67F24848CE29881297F24F
Reporter SecuriteInfoCom
Tags:DanaBot

Intelligence

File Origin
# of uploads :
3
# of downloads :
731
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.32682.17451.1260.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Graftor-6878643-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 04:43:00 UTC
File Type:
PE (Dll)
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cti3ditwzqwkojgsvvxowdmqsdcfni5kcgwib6lxsekjnmyshkiq._file
Verdict:
malicious
Similar samples:
32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887
DanaBot
3c6d1adb8c659c6608e4fa44fe880adb352bd9e8491430b4f559604fd412e181
DanaBot
3e6c762ae623b985932a24c99a901dfb7dcb7c452bd5668bf2d7e8883f99381f
DanaBot
43c6a815f9651182399018a1e6b66d811028dc8c6de05a8c19813a9c2c9c1e2a
DanaBot
4bf2f4dd9ecaa28ecebae186a118cf66f8fce7ee8790351ca7224516ff47010e
DanaBot
5d65fcb03519e2de623db04685570406c586ee4d121c9381910932cf2e1bd344
DanaBot
6a50f0859a43dda14c415aba80c6f80d371e63d010ce61eb1f5ddf2f5738008e
DanaBot
956f601e9a95d749c9508735a7e07a1c0ede99a4b295ff3e520c5726b47c271e
DanaBot
b6cb8daec9e3e27dbb39e33d3dc55e7100673869754e8c8a158a0e655e1cbcce
DanaBot
da19555286a99fed6a4a84c0c4b76e793618299f6d4cc2fe31373ddc033d8dcc
DanaBot
+ 281 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DanaBot

Excel file xls 91c05e799c079448d87b45dcb83472ba1009513290157e39fa62fcae06436157

DanaBot

DLL dll 14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/334269/
  
URLhaus
https://urlhaus.abuse.ch/url/334274/
  
URLhaus
https://urlhaus.abuse.ch/url/334732/
  
Dropped by
SHA256 91c05e799c079448d87b45dcb83472ba1009513290157e39fa62fcae06436157
  
Dropped by
MD5 51afe266b0d9ac8e9947928591c0494e
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::CreateWellKnownSid
advapi32.dll::FreeSid
advapi32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::GetTokenInformation
advapi32.dll::SetSecurityDescriptorDacl
WIN32_PROCESS_APICan Create Process and Threadsadvapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
advapi32.dll::OpenThreadToken
kernel32.dll::WriteProcessMemory
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
version.dll::GetFileVersionInfoSizeW
WIN_CRYPT_APIUses Windows Crypt APIadvapi32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::FindWindowA
user32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments


Avatar
commented on 2020-04-04 07:34:30 UTC

DanaBot malspam:

HELO: imsa.trendmicro.com
Sending IP: 59.41.8.249
Subject: invoice 00/56/9247
Attachment: invoice_220.xls

DanaBot payload URL:
https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=

DanaBot C2s:
185.181.8.49:443
64.188.19.39:443
185.136.167.142:443
151.106.53.109:443
172.245.247.101:443
64.188.12.140:443