MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e
SHA3-384 hash: 3303afd55dcbe51b34aa2ebfbdab81e1f1d8d251c49316e245da1a9d7ccd2b598dedbfb8793626cdbebc4887aaaed079
SHA1 hash: 0363e38b238ccf5b6dcf377d1e6cc1ecacf64a1e
MD5 hash: 8f49468c1028a77bb5a5272ecd3f212d
humanhash: double-dakota-oscar-glucose
File name:Completed Interior Design.pdf.lnk
Download: download sample
Signature DanaBot
Create hunting rule
File size:2'164 bytes
First seen:2026-03-14 18:34:55 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 12:8UlDmIftmlvlwiGQmqY42mZU+XiGbVlDmo0qjaplDmIfc99ZTlDmo0q:8U4Ilm3xVpU+yQ4o08ap4I0tT4o0
Threatray 2'900 similar samples on MalwareBazaar
TLSH T1F141BC2473E94310D331ED3B6878C60691BA3416ED33CB5D4BA1D58E246A604FE3AF2B
Magika lnk
Reporter abuse_ch
Tags:DanaBot lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/a4a7d7d7-ae33-4a05-9e26-66bbbf3637ee/
Detection(s):
Sanesecurity.Malware.30768.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.SilverChairs4SilverBacks.20221114.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b5aa7a88c80c01586a2394
Tags:
n/a
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e/results/dashboard
Payload URLs
URL
File name
http://213.165.47.137:8080/payload
LNK File
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Malicious
Labled as:
CMD:BZC.YAX.Pantera.160.40F143E9;CMD:BZC.YAX.Pantera.160
Link:
https://www.hybrid-analysis.com/sample/5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e
Verdict:
Malicious
File Type:
lnk
Detections:
HEUR:Trojan.Win32.Agentb.gen HEUR:Trojan.Multi.Miner.gen NetTool.cURLGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e/results?tab=lookup
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1883819
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses known network protocols on non-standard ports
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected DanaBot
Behaviour
Behavior Graph:
Download SVG
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:conhost.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/8f49468c1028a77bb5a5272ecd3f212d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e/
Verdict:
Malicious
Threat:
NetTool.cURLGet.HTTP
Link:
https://tip.neiki.dev/file/5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e
Threat name:
Win32.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2026-03-14 14:18:42 UTC
File Type:
Binary
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7ftfypx5vwaignwq44ywkcwzmpv64caypvxlbozqyizu3efi4xa._file
Verdict:
malicious
Label(s):
danabot
Create hunting rule
Similar samples:
1ad3c75b844b2ce6f20beb1c324eec749d2783364a685a0db64638ee10279b59
DanaBot
3d2c2b0e37ad53eefda6f48d1eb87516e013501f6fd1492bb11ac5aea25793ac
DanaBot
40d4cd5109435eaf242aa03a2c34efa87c06c9450b3d90b6f8ef7dcb161fb864
DanaBot
5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883
DanaBot
75aa04510c1947545f192b7838d1ffa868592dbc8ec2739283853a356f6b962b
DanaBot
aa4b643b0cf8f91532272dc7a1c2426f0da0aceeaa653831ad0daf55df2e6eef
DanaBot
c75ebab7bc1babe41757a8aa104fb4d53adc6590a7de158fd5ae723ceb8cdb2f
DanaBot
e42facfa650f7b6fb31f2cc187f623993d316701e3d20188d9eb260c2f14511b
DanaBot
error
DanaBot
+ 2'890 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/260314-w8kpkadx3m/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Shortcut (lnk) lnk 5fcb32e1f7ed6c0419b687398b2856cb1f5f7040c3eb7585d986119a6c85472e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3795830/
  
Delivery method
Distributed via web download

Comments


Avatar
commented on 2026-03-14 19:30:15 UTC

Payload URL:
http://213.165.45.163/dropper