MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d
SHA3-384 hash: 96af2136c3b4038c9b9e2cb283354cefc893c180d82621c7ac5161d9342080c3825def628c570515c6bd4c44c09187cc
SHA1 hash: d625fe25061443c33ca1c92997886986ca17cb0e
MD5 hash: a4069964dd3e03b0099416d883c2556c
humanhash: avocado-missouri-uniform-tango
File name:JZBFCAQN.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:11'614'491 bytes
First seen:2025-01-30 05:58:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (21 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 196608:+pXFf/tAV66U6v7bu6uOooShPmvCTl4T7Gs4w028fXgDsRbg58BkOZX:+pXHAV66z75oPevlTys4w0NfwgRbg58F
Threatray 22 similar samples on MalwareBazaar
TLSH T1A6C6334277C9E4F0E7AC89B6AF29CBCB53FBD3A865812E62C6C02D164CD356221574C7
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter JAMESWT_WT
Tags:89-23-102-187 booking DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
514
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
http://89.23.102.187/taxhuman.hta.mp4
Verdict:
Malicious activity
Analysis date:
2025-01-29 18:40:02 UTC
Tags:
loader danabot stealer
Link:
https://app.any.run/tasks/0baa943d-1af5-4dd6-b3cc-7a53e85854ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679b163239cd5095f12be571
Tags:
autorun delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Launching a process
Sending a custom TCP request
Searching for synchronization primitives
Connecting to a non-recommended domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/679b1527a2886cdc5ac69de5/reports/77225998-f495-4fc7-b3de-2c72fd9588cd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6883c61-9cd4-4f03-837a-c73b62c50ea6
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1602750
Signature
Contains functionality to detect sleep reduction / modifications
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1602750 Sample: JZBFCAQN.exe Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 3 other signatures 2->81 9 JZBFCAQN.exe 19 2->9         started        13 DriverBooster.exe 3 2->13         started        process3 file4 39 C:\Users\user\vcl120.bpl, PE32 9->39 dropped 41 C:\Users\user\sqlite3.dll, PE32 9->41 dropped 43 C:\Users\user\rtl120.bpl, PE32 9->43 dropped 45 10 other malicious files 9->45 dropped 95 Drops PE files to the user root directory 9->95 15 DriverBooster.exe 18 9->15         started        97 Maps a DLL or memory area into another process 13->97 99 Found direct / indirect Syscall (likely to bypass EDR) 13->99 19 cmd.exe 2 13->19         started        signatures5 process6 file7 49 C:\Users\user\AppData\Roaming\...\vcl120.bpl, PE32 15->49 dropped 51 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 15->51 dropped 53 C:\Users\user\AppData\Roaming\...\rtl120.bpl, PE32 15->53 dropped 57 10 other malicious files 15->57 dropped 67 Switches to a custom stack to bypass stack traces 15->67 69 Found direct / indirect Syscall (likely to bypass EDR) 15->69 21 DriverBooster.exe 3 15->21         started        55 C:\Users\user\AppData\Local\Temp\vvtshp, PE32 19->55 dropped 71 Injects code into the Windows Explorer (explorer.exe) 19->71 73 Writes to foreign memory regions 19->73 24 explorer.exe 4 19->24         started        27 conhost.exe 19->27         started        signatures8 process9 dnsIp10 87 Maps a DLL or memory area into another process 21->87 89 Switches to a custom stack to bypass stack traces 21->89 91 Found direct / indirect Syscall (likely to bypass EDR) 21->91 93 Contains functionality to detect sleep reduction / modifications 21->93 29 cmd.exe 4 21->29         started        65 127.0.0.1 unknown unknown 24->65 signatures11 process12 file13 47 C:\Users\user\AppData\...\vdqgyklsghnaca, PE32 29->47 dropped 101 Injects code into the Windows Explorer (explorer.exe) 29->101 103 May use the Tor software to hide its network traffic 29->103 105 Writes to foreign memory regions 29->105 107 2 other signatures 29->107 33 explorer.exe 4 29->33         started        37 conhost.exe 29->37         started        signatures14 process15 dnsIp16 59 178.253.55.80, 443, 49740, 49988 RESPINA-ASIR Iran (ISLAMIC Republic Of) 33->59 61 89.185.80.116, 443, 49742, 50003 OLIMP-SVYAZ-ASRU Russian Federation 33->61 63 2 other IPs or domains 33->63 83 System process connects to network (likely due to code injection or exploit) 33->83 85 Switches to a custom stack to bypass stack traces 33->85 signatures17
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d/
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2025-01-30 05:58:37 UTC
File Type:
PE (Exe)
Extracted files:
247
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=grrrn5dq2kv3hyl7z4hw3a3xjhikxhnbuziy7wagjhqe5q6amzoq._file
Verdict:
malicious
Label(s):
danabot
Create hunting rule
Similar samples:
066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a
DanaBot
255262d443f57a58458117d1186b48f70cf884a2f8fa3e49f9c5d38ae67c4659
DanaBot
2ef2d5e126c0508e5a8d9d4d9fa08d60d4987b4ca401a8d2d62c89a8ef4bcc0f
DanaBot
322a2b32005029ca49715f5d66f87e5a2b446dd5106b0397d3c7b11766f28c8d
DanaBot
346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d
DanaBot
4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183
DanaBot
68387cba37fa58eeab0ae343b68b5d135c9025767eae462c73fccf33667ea974
DanaBot
ce8eb3f6ba7773ff7460985a2b7ff7bbaa38d1079bae650d69844281fda267cb
DanaBot
e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089
DanaBot
error
DanaBot
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250130-gpqn5syran/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies visibility of file extensions in Explorer
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66184504-fce2-4e0b-be79-e0492ac3ab5f
Unpacked files
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
524481849793516180e9c58dcf61ae6c698830c6bf67b50029ccdd2bc400d78d
MD5 hash:
550c85f08cd18944638ad078773f80f4
SHA1 hash:
b72e57ec2f78799ccaf45bb7ba9ef56a370887b6
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
cf113ac9b82ee35124e6f3ba61f772bdcded304fc08657c258476eb71082e12c
MD5 hash:
5f2fd1fa5578e372c5eb9faadd038254
SHA1 hash:
b5d1d3c749e45cfb006ce0e588cc2e7efd01b49d
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
09e278bcb49e04ff8ab068aa97f98edd62c3c9b8be7d03d656f4576a4ae25c38
MD5 hash:
4414002d28b0584e7fe57f820ea265a8
SHA1 hash:
9308452faff1ca90c1ef5518f195272cd433114e
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
8e89d33297accbef0d3fd79f52df3679cc39daa44db7346a4dc810dc5db8fb7d
MD5 hash:
3d9f5e267e41aeefc815d2dfff5890d2
SHA1 hash:
5c312a618a7f9e3b32c9d53ab24eeddde6904de2
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
f8326dfd1dd7ba5a21bb3c3a51e51d69b60bca5f4fb50cb79f68282e0fcee737
MD5 hash:
d1aa09db11802224f21e23393deb52f2
SHA1 hash:
554cfcd02268bdc6b899c4d4ee1b5d36959b0fc9
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
1b138f4697357c7465f0bfc2be6ee818e1bff63ef3d7befc9aa63176c94e9d39
MD5 hash:
9ca6b7de5e4e174984f221a48ce0467a
SHA1 hash:
46a92a0a57e241775dc9a00e8d1f5e1b83409a8c
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
7cc676d23aa669a035fe9a2b35144ca97a1753e3c99ef76c519d5016bc672975
MD5 hash:
753be2d89198c016fe02d922f6d6d808
SHA1 hash:
56d6ca0fb0ebed16de7cda10842317f3cc4ea249
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
deb790753b3296acad3e0695f2a937d1fc8be59a4b9f41c97df2c7bd7a404542
MD5 hash:
e6864140871a2989b9d4a9649a33840c
SHA1 hash:
edae89c2cd8dc23367cb599becacff5bfc7624f3
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
f0fff71c3cc8aca7a48335e0b97279950e5676a50cb2bf903d86487eaa073e0b
MD5 hash:
7d3a1245a56e0ebc9877479d90c1bdce
SHA1 hash:
a18a18dd1fdd8e372ad5bb613b84cd4514f495a9
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
af1536a53015d5b87f051eac1468dc647eaa25376bceb3642478ad4d332d3296
MD5 hash:
3e07c3406b8c02edb8ba3acc191d7bbb
SHA1 hash:
88adee345e3e88e3c1e3ac2eb6456526f6e62211
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
SH256 hash:
346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d
MD5 hash:
a4069964dd3e03b0099416d883c2556c
SHA1 hash:
d625fe25061443c33ca1c92997886986ca17cb0e
Link:
https://www.unpac.me/results/d9b59fc0-b53e-4792-be1f-2048f8b561bb/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/346316f470d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe 346316f470d2abb3e17fcf0f6d837749d0ab9da1a6518fd80649e04ec3c0665d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3419817/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments