MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23229b2ceee2481db7c9e645e849efe08ea77e0a7dff48448d45896f3bd49c0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23229b2ceee2481db7c9e645e849efe08ea77e0a7dff48448d45896f3bd49c0e
SHA3-384 hash: 6c341b1436ccfb1a9e8a5414b5a108d684eaf95be31b2ac3089398bd2d90221888a25e52d618cfc3c46b9c0bda6b14ce
SHA1 hash: 6aa333508763a3849eea153fb5c46d1a94928d7c
MD5 hash: 2b856e33459b08fd6b2aa9cec98a2ced
humanhash: violet-kitten-stairway-georgia
File name:2b856e33459b08fd6b2aa9cec98a2ced.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'135'104 bytes
First seen:2022-03-02 19:16:08 UTC
Last seen:2022-03-02 20:52:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0623e16f7ad169cff85e84a96d4a7da6 (2 x Gozi, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep 24576:9zoLjfXZC/CFtUhhHBLKe6DF4ZQZhr5UGDHZOqng0yhB/p3H:9zWfJ7FavHBLKMQf6GD5OqnCR
Threatray 9'667 similar samples on MalwareBazaar
TLSH T11D3523243950D832D43B16B09058F7B1693FBE635E21D54623892AAE5FB53A2BB3D3C1
File icon (PE):PE icon
dhash icon 38b078eccacecc43 (5 x RedLineStealer, 5 x Stop, 4 x Smoke Loader)
Reporter abuse_ch
Tags:DanaBot exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
488
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246486/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.304.11548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7912/overview
Behaviour
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/621fc27ddfdfa8501c78ae25/reports/bdb0b501-9340-4b0e-988b-bf1592c87a22/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4a9b5cd-4e6e-47fe-bed0-795ad93b338c
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/949438
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23229b2ceee2481db7c9e645e849efe08ea77e0a7dff48448d45896f3bd49c0e/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 19:17:10 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5
DanaBot
532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28
DanaBot
5cf233d7267a011a4e21064d530fc1b6e80f995b22cf86b29e773d13a463a628
DanaBot
6e33bb5afea750c9d310218cf18796b7e1754332684bf92806ccba081bcc5a69
DanaBot
7d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
DanaBot
a0bc490c4a5263a90e83476958a538d960a94437432c4561008a6c9bb4af2b17
DanaBot
b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba
DanaBot
d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645
DanaBot
+ 9'657 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220302-xywjrahfdr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Blocklisted process makes network request
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
84a52ba835dd395b5c521b340926b380d54a08b619f5f5668507ca87c7642d8d
MD5 hash:
80a264a6af013a7db1aeb7b5caf9d171
SHA1 hash:
d175bb39c8717037c1e9e1ce36aa62aa81123314
Link:
https://www.unpac.me/results/1d52ad23-2b98-4c8f-a4c6-d1abfc98fe4f/
SH256 hash:
23229b2ceee2481db7c9e645e849efe08ea77e0a7dff48448d45896f3bd49c0e
MD5 hash:
2b856e33459b08fd6b2aa9cec98a2ced
SHA1 hash:
6aa333508763a3849eea153fb5c46d1a94928d7c
Link:
https://www.unpac.me/results/1d52ad23-2b98-4c8f-a4c6-d1abfc98fe4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23229b2ceee2481db7c9e645e849efe08ea77e0a7dff48448d45896f3bd49c0e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 23229b2ceee2481db7c9e645e849efe08ea77e0a7dff48448d45896f3bd49c0e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2069366/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246486/

Comments