MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec
SHA3-384 hash: ae0d208085a22cff9c6481ccc28c9e21c7ce4e64fa967b9f676611d75a073ffc01acc8d1958e3fcbceaf1d3ac36f1d89
SHA1 hash: 415a7f46d7aecb72d54acbe062754c5bdfdd5bcb
MD5 hash: cb045619ef946635e204ab07993be8bb
humanhash: sweet-mars-kilo-massachusetts
File name:clopzpa.dx
Download: download sample
Signature DanaBot
Create hunting rule
File size:9'854'464 bytes
First seen:2021-03-16 18:06:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 232b3339a4b09d8e6017c840f891b351 (1 x DanaBot)
ssdeep 98304:New4yUmr3R/Kl750JLf0HKs/ZWP/YcwBpAfKKH3o/ibkH7B7WJ8zVRE:NqyUmr3lK150lfcpcwBoXbkHpk2
Threatray 22 similar samples on MalwareBazaar
TLSH 27A60240F34160B9CAAF5A375768158A83BF83503BD6BBF51D9648FAB382466C570ECC
Reporter cbecks2
Tags:DanaBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
clopzpa.dx
Verdict:
Malicious activity
Analysis date:
2021-03-16 18:10:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/813562fd-1203-40cb-b8bf-b18454334865

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.SpyBot.1031.19995.3962.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Modifying an executable file
Changing a file
Creating a file in the %temp% directory
Sending a custom TCP request
Sending a UDP request
Infecting executable files
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/90f493d6-9116-41e1-bafa-6c4cc72a9f29
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/641138
Signature
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 18:07:05 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03b6c5f9885f4d8ff212b80a077eff93b860b78af58481d3d755220786bf988c
DanaBot
06041291ff32dd5f22f73981c04f3db98fda09380cabd2c619be476890c129d2
DanaBot
0ca4ae47ba216abc633c3e2bd3ba15dedc3ee380cfbf6e3f3f505224cfd31f13
DanaBot
12aa781dbb20df22ed7d20b94a0c30d93ff44a875cee7c028cdccfa3eab9e57d
DanaBot
566fcce372dfea05e764d0efeb924c6e4053483fbd2fb6f9f8991a18ca0e8c6b
DanaBot
57357b402876a772f39631c930062011532774d893b69eb9c66ee3b1d3867b1a
DanaBot
85fc00cd373580ff152c181e4ccf12f9bcd2df6a716a0952cbbf8252d6b33486
DanaBot
9557feef95067f3447bd79cbfbb2910782b44f9a0ca579d2bc7e0877cb72dc48
DanaBot
c86daf6acf8e6431c50a2b8f6d123b42da7c5fa9fce232438873d45079059591
DanaBot
d1dcc421d05a21b77f376313007e84dbdc165f220d710e295b939b04766ad173
DanaBot
+ 12 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker discovery spyware stealer trojan
Link:
https://tria.ge/reports/210316-2nsfgscgns/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
34.76.205.65:443
34.65.94.126:443
34.125.240.24:443
35.244.125.215:443
Unpacked files
SH256 hash:
220415874248ba920128ccacad9429e47dda48a2ad35ee04317af72decd8c18a
MD5 hash:
30dcb5555a71362070f7969ad8bbd8c0
SHA1 hash:
372b1316373549fbcd328d91dfb8b8cdf716fe4b
Link:
https://www.unpac.me/results/51590e1e-347c-4be2-92eb-e0a151accad1/
SH256 hash:
9b762c2f7c249cd6ae08dae84d59764073fc534a46247a025d8d2bb2fd09cae7
MD5 hash:
7237d6de2b48032fe582482f03cf2d1c
SHA1 hash:
12d92e1348a872cb493b7ef72b5c56e3844b9cb9
Link:
https://www.unpac.me/results/51590e1e-347c-4be2-92eb-e0a151accad1/
SH256 hash:
5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec
MD5 hash:
cb045619ef946635e204ab07993be8bb
SHA1 hash:
415a7f46d7aecb72d54acbe062754c5bdfdd5bcb
Link:
https://www.unpac.me/results/51590e1e-347c-4be2-92eb-e0a151accad1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f8bbd5b165b49e1cadf31a88eb1d0e714c60f77ae81da2e727dd4ca99e80aec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments