MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519
SHA3-384 hash:	58752e28c0832bf68f3a942b2c4798eb5f68eb96649718c362bb5ba10ccc26eaf8c209a16c4ce37b4dcc72ea6c28365e
SHA1 hash:	eca71755e08f94245fd9668b20e04e73c0681ec8
MD5 hash:	e1021216d0073c76d245fb0cbb27b63f
humanhash:	twelve-cardinal-echo-burger
File name:	eca71755e08f94245fd9668b20e04e73c0681ec8.dll
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'945'600 bytes
First seen:	2024-11-19 11:54:35 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	00ef0d3173550e4622ce49f776f5c086 (1 x DanaBot)
ssdeep	49152:YQU1aLhQhG5NUAgoOa8nBc0SmmdWwMLwktw4BAelqfn8+nFFQCxEsJwKQe:YfaNQh+NUABO/c0Y9Adxlqf8+gqJW
TLSH	T141958C51B602E726D6A86CB8FC00C5EF14F0BD49FE44D267F6C17F9FA932241A82519B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	NDA0E
Tags:	DanaBot dll

Intelligence

File Origin

# of uploads :

# of downloads :

394

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Malware.PDB-821.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=673c7dc280d21948b032f123

Tags:

danabot virus gates zusy

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc

Link:

https://www.filescan.io/uploads/673c7cb7c29f5b493617b304/reports/b33ee656-4282-4ee4-aefa-c49330b04689/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e050895-efb8-4dfa-8957-2a661350ad71

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1558400

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519

Detection:

danabot

Link:

https://mwdb.cert.pl/sample/8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519/

Threat name:

Win32.Trojan.Danabot

Status:

Malicious

First seen:

2024-11-19 06:03:52 UTC

File Type:

PE (Dll)

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qacnixnag6346ma5acbsw4y2zr7hfefhbkufr6a6vxtdczrsgumq._file

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot botnet:40 banker discovery trojan

Link:

https://tria.ge/reports/241119-n3hc9azrfq/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Blocklisted process makes network request

Danabot

Danabot Loader Component

Danabot family

Malware Config

C2 Extraction:

185.117.90.36:443
193.42.36.59:443
193.56.146.53:443
185.106.123.228:443

Unpacked files

SH256 hash:

7219230188e0b6f9cec4fcf381dcf3ca5de64cd147474d0957a5e193aa3ac7c1

MD5 hash:

eea56a7af97cfcad33ba2b7a518b018e

SHA1 hash:

b6bbdb4e2ad54bd4cb45a5c9566e1db4f5ca82fb

Link:

https://www.unpac.me/results/3a841137-666d-40f9-8317-1c67c12dcce9/

SH256 hash:

8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519

MD5 hash:

e1021216d0073c76d245fb0cbb27b63f

SHA1 hash:

eca71755e08f94245fd9668b20e04e73c0681ec8

Link:

https://www.unpac.me/results/3a841137-666d-40f9-8317-1c67c12dcce9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::WriteConsoleA KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::GetWindowsDirectoryW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample