MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68027593e9c91fe4f0e1412ed861dcd1d70b4bf1e101d907fd32d58fa95d3c04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68027593e9c91fe4f0e1412ed861dcd1d70b4bf1e101d907fd32d58fa95d3c04
SHA3-384 hash: 0bb7576b249afcbbf8089084f658d046ae12548fed86bb5661a59917460253eb454d50c46e2f8cf92260628bc21b7f7b
SHA1 hash: 5d1085a73bcb42afbe71c298ad0d2b0b304d5b2b
MD5 hash: a114d7b1a54be867c02afced9031fb36
humanhash: grey-skylark-hamper-happy
File name:C88E21014F321E99295005388B9016DB.bin
Download: download sample
Signature DanaBot
Create hunting rule
File size:2'758'656 bytes
First seen:2022-07-09 07:48:16 UTC
Last seen:2022-07-09 08:36:22 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5f321aaacad9afe5510772acbff4aeb3 (2 x DanaBot)
ssdeep 49152:l5vLI8F+ztRvORUSu4FBItdKwEVK9uZKdDolClffiNg7T12sIN:fLx+zj2RUSjUtdXEM9uZKdDolClffiNZ
Threatray 146 similar samples on MalwareBazaar
TLSH T157D51A239354B12FC06E163A952E665F447D6330DA209C7BF7914E4CFAB9BC0972AB07
TrID 55.9% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
14.1% (.EXE) Win64 Executable (generic) (10523/12/4)
8.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.0% (.EXE) Win32 Executable (generic) (4505/5/1)
4.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
Reporter abuse_ch
Tags:DanaBot dll


Avatar
abuse_ch
Dropped by:
https://aquaprodive.com/images/main/index.php

DanaBot C2s:
58.50.42.34:13886
26.18.10.2:5662
60.52.44.36:14400

Intelligence

File Origin
# of uploads :
2
# of downloads :
555
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285780/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.21121.26830.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Creating a file in the %temp% directory
Changing a file
Сreating synchronization primitives
Searching for synchronization primitives
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
advpack.dll anti-vm atbroker.exe bitsadmin.exe certreq.exe certutil.exe cmdl32.exe csc.exe datasvcutil.exe dfshim.dll dllhost.exe esentutl.exe evasive expand.exe extrac32.exe findstr.exe fingerprint forfiles.exe installutil.exe msconfig.exe mshta.exe pcalua.exe printbrm.exe rasautou.exe regini.exe regsvcs.exe sc.exe shdocvw.dll stealer wmic.exe
Link:
https://www.filescan.io/uploads/62c9332c783441cda11b02c6/reports/f7a44886-9b4d-46b3-8e76-fd81ef9002e6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c25cc59b-0215-40cf-8309-987b4a34ca22
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1027698
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660193 Sample: C88E21014F321E99295005388B9... Startdate: 09/07/2022 Architecture: WINDOWS Score: 60 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Machine Learning detection for sample 2->35 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        process5 18 WerFault.exe 2 9 10->18         started        21 rundll32.exe 12->21         started        23 WerFault.exe 2 9 14->23         started        25 WerFault.exe 6 9 16->25         started        dnsIp6 29 192.168.2.1 unknown unknown 18->29 27 WerFault.exe 17 9 21->27         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68027593e9c91fe4f0e1412ed861dcd1d70b4bf1e101d907fd32d58fa95d3c04/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2022-07-09 07:49:12 UTC
File Type:
PE (Dll)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nabhle7jzep6j4hbiexnqyo42hlqws7r4ea5sb75glky7kk5hqca._file
Verdict:
malicious
Similar samples:
011cf163f408740dc9c5dc6b14f8e869c90221ba032365786f1fd17e3f17addb
DanaBot
039d264f6276dcbde5ddcc40808ccc215a914cbd0bbcc67e317d9cb92d7b9020
DanaBot
131bc80decadc83b3eabb56fb0f69a715d12bd72a6ef321d0c6ac61db244d62f
DanaBot
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9
DanaBot
b20753700e6839173e63c607bd2e7da1da85b3d46f7c67b8e4b819814ff898ba
DanaBot
ef78a7edac0d62cfb157cb652cad5282b020484fdb580ccb09a0ab321296f136
DanaBot
fc462d664059f589615426aaed5f9ec02eba957c4a6538b5fe22a5648a5b2f2e
DanaBot
+ 136 additional samples on MalwareBazaar
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/220709-jnnt9sfee9/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Reads user/profile data of web browsers
Blocklisted process makes network request
Danabot
Malware Config
C2 Extraction:
100.0.0.0:5148
58.50.42.34:13886
26.18.10.2:5662
60.52.44.36:14400
Unpacked files
SH256 hash:
68027593e9c91fe4f0e1412ed861dcd1d70b4bf1e101d907fd32d58fa95d3c04
MD5 hash:
a114d7b1a54be867c02afced9031fb36
SHA1 hash:
5d1085a73bcb42afbe71c298ad0d2b0b304d5b2b
Link:
https://www.unpac.me/results/f64a4e3c-7302-440f-9e7d-1d1cf03700d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68027593e9c91fe4f0e1412ed861dcd1d70b4bf1e101d907fd32d58fa95d3c04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:win_danabot
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot
Rule name:win_danabot_cdf38827
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DanaBot

Visual Basic Script (vbs) vbs 039d264f6276dcbde5ddcc40808ccc215a914cbd0bbcc67e317d9cb92d7b9020

DanaBot

DLL dll 68027593e9c91fe4f0e1412ed861dcd1d70b4bf1e101d907fd32d58fa95d3c04

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2255638/
  
Dropped by
MD5 6ebff0e37948aa39e62905c59795ab31
  
Dropped by
SHA256 039d264f6276dcbde5ddcc40808ccc215a914cbd0bbcc67e317d9cb92d7b9020
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/285780/

Comments