MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 683b04f3c9da73d16abbe0fa72b538b5285bf33638d8ec2d426cf83c5844bbf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	683b04f3c9da73d16abbe0fa72b538b5285bf33638d8ec2d426cf83c5844bbf1
SHA3-384 hash:	0b5c8cdfd26fc42b8c6bcb2d7b171fef7a0657cfe3f756e6efc59e66d7c5ef222ca0b9bafc9bbba79333b364d0e99de1
SHA1 hash:	82ddf58c9184dd10c4e068c9250d7af9cb725eee
MD5 hash:	b5f9d7dc3444c9165feef9166392f4b9
humanhash:	beryllium-maine-nebraska-romeo
File name:	b5f9d7dc3444c9165feef9166392f4b9.dll
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'945'600 bytes
First seen:	2021-11-01 09:40:09 UTC
Last seen:	2021-11-01 11:54:34 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	0eed472e0e16a8d1ff83332f82b53ef4 (1 x DanaBot)
ssdeep	49152:8QU1aLhQhG5NUAgoOa8nBc0SmmdWwMLwktw4Bse9qfn8+nFFQCxEsJwKQi:8faNQh+NUABO/c0Y9AdB9qf8+gqJW
Threatray	7'015 similar samples on MalwareBazaar
TLSH	T152958C51B602E726D6A86CB8FC00C5EF14F0BD49FE44D267F6C17F9FA932241A82519B
Reporter	abuse_ch
Tags:	DanaBot dll

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Panda.13752.27605.76.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/617ff9f39a5a1e91c5d9f928/reports/965f4ce6-56c5-4e19-adad-8ac44f0557a6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/286e13ff-4453-4b38-8154-0dae84af99f6

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/880365

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/683b04f3c9da73d16abbe0fa72b538b5285bf33638d8ec2d426cf83c5844bbf1/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-11-01 09:41:08 UTC

AV detection:

12 of 45 (26.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=na5qj46j3jz5c2v34d5hfnjywuufx4zwhdmoylkcnt4dywcexpyq._file

Verdict:

malicious

Label(s):

gozi

DanaBot

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

DanaBot

6ec0f7e1622dd705aa4017fb1a916eb0d2ae3e6dd5fe5b58d4ac5e4c2489a0c1

DanaBot

84152e97051619068fcd8e0e59428e636fa1c69a3266a1fadbf6e69d919dbd8c

DanaBot

910a3ea5bf49de9ba90a34c36825736573c3ab5bff42b4c74acd0d01944a0749

DanaBot

a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848

DanaBot

a5a58e9c4804f19ff134799163899559a71ee942c9a77aeefa5983223f6fe34e

DanaBot

ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae

DanaBot

df8084af9861ef3e67f7402ff047cb2cd9d21ed270caad41a6aa2888024e1488

DanaBot

+ 7'005 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211101-lnr8sshdf2/

Behaviour

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

185.117.90.36:443
193.42.36.59:443
193.56.146.53:443
185.106.123.228:443

Unpacked files

SH256 hash:

dcbab3cbe9dfe33759b29d1d5dabd10dd798a15381f7ecf2a2409770e2c2c1b8

MD5 hash:

fb556d13b5ffd46fa039da5510559277

SHA1 hash:

37bbed8961297a51b9e61c547bf97120aadadf59

Link:

https://www.unpac.me/results/4b553e6b-1c0d-41b8-b7a5-f5601c971401/

SH256 hash:

683b04f3c9da73d16abbe0fa72b538b5285bf33638d8ec2d426cf83c5844bbf1

MD5 hash:

b5f9d7dc3444c9165feef9166392f4b9

SHA1 hash:

82ddf58c9184dd10c4e068c9250d7af9cb725eee

Link:

https://www.unpac.me/results/4b553e6b-1c0d-41b8-b7a5-f5601c971401/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/683b04f3c9da73d16abbe0fa72b538b5285bf33638d8ec2d426cf83c5844bbf1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

DLL dll 683b04f3c9da73d16abbe0fa72b538b5285bf33638d8ec2d426cf83c5844bbf1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1707747/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample