MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50
SHA3-384 hash:	2df6d416183e1507bfd182440d3d73fd3bbf1326412a2c7645e44df38df0f5616d7bbf4ae6c00690865a67d276ea05bb
SHA1 hash:	bb0a12206cf6e7116db9b01d124276a85be3857c
MD5 hash:	87e79942a22a5f5c1537c7570f9ad043
humanhash:	potato-floor-india-charlie
File name:	87e79942a22a5f5c1537c7570f9ad043.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'155'072 bytes
First seen:	2022-03-07 08:39:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ecf40f4beb06b67c316495692fd0889e (2 x DanaBot, 1 x Smoke Loader)
ssdeep	24576:Y9A/syR6dItoxzz4HGsF87cizDBtC48XMMLp6vciJOgpBx8w:YoUdrz4Hv67ltC4QLk0Ghpn
Threatray	9'871 similar samples on MalwareBazaar
TLSH	T118351210EB91C035F4B717F89A66926EB53E7DE0976065CF13C16AEA46382E1EC3170B
File icon (PE):
dhash icon	2dac1378399b9b91 (35 x Smoke Loader, 34 x RedLineStealer, 18 x Amadey)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

535

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

i864x__setup__621e87182cb9a.exe

Verdict:

Malicious activity

Analysis date:

2022-03-06 20:20:25 UTC

Tags:

trojan rat redline evasion phishing opendir loader stealer

Link:

https://app.any.run/tasks/0d7aba28-f909-4680-ae2a-e0c69f256ed9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/247792/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Launching a process

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Сreating synchronization primitives

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8443/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/554c990c-dff3-4247-b501-3904e2e997ad

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/951628

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50/

Threat name:

Win32.Trojan.DanaBot

Status:

Malicious

First seen:

2022-03-07 05:40:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 42 (59.52%)

Threat level:

5/5

Verdict:

malicious

DanaBot

3b9cd0cbd0216c7880e6edbf90c8c98d0800f7a562c3a845559b3375dfa09f8f

DanaBot

532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28

DanaBot

5cf233d7267a011a4e21064d530fc1b6e80f995b22cf86b29e773d13a463a628

DanaBot

6e33bb5afea750c9d310218cf18796b7e1754332684bf92806ccba081bcc5a69

DanaBot

a0bc490c4a5263a90e83476958a538d960a94437432c4561008a6c9bb4af2b17

DanaBot

d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645

DanaBot

+ 9'861 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220307-kkww5scbf5/

Behaviour

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Blocklisted process makes network request

Unpacked files

SH256 hash:

62c7d732a6405c14d79839ce9406b791a5231bdd39489b40a5443304a2cdf27c

MD5 hash:

a67a3f8cc44403cf79474b577e5bc171

SHA1 hash:

3e1b2d6b66c7359a579250ff3747bf2673d87001

Link:

https://www.unpac.me/results/60be5beb-f141-479e-bdfc-84d0e5b807e1/

SH256 hash:

343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50

MD5 hash:

87e79942a22a5f5c1537c7570f9ad043

SHA1 hash:

bb0a12206cf6e7116db9b01d124276a85be3857c

Link:

https://www.unpac.me/results/60be5beb-f141-479e-bdfc-84d0e5b807e1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/343b785bdc3ee599f7962a90b02c3638c470e486fe43fff73c0ee5fbb8eb0a50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/247792/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample