MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6cb8daec9e3e27dbb39e33d3dc55e7100673869754e8c8a158a0e655e1cbcce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6cb8daec9e3e27dbb39e33d3dc55e7100673869754e8c8a158a0e655e1cbcce
SHA3-384 hash: 0a9381460b5ccb675804e16fc53866b3d1dfd4116b1ba38823a8adbe44908bef64f78079f03a603a6a40bd2626df15de
SHA1 hash: d7115ffe2beed362988eb4ef0ef574426e98244a
MD5 hash: d7256e8d86f5b2a5b63f36886e7d3189
humanhash: venus-minnesota-asparagus-shade
File name:file.exe
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'132'544 bytes
First seen:2020-04-01 07:45:08 UTC
Last seen:2020-04-01 09:23:52 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 21c53671b113bf7c133dbae646e77f19 (1 x DanaBot)
ssdeep 12288:CuuPDnxD+jp/5PPvAYiXm53JzVRt+Y0H7v3K58/3TCMLPT:CuuLnJSpNPvAYiMMY0H7vK58/3Tff
Threatray 346 similar samples on MalwareBazaar
TLSH 8B357D32F585A93EC19F16390933AB54953F7B226D278C5F67F24848CE29881297F24F
Reporter abuse_ch
Tags:DanaBot exe geo POL


Avatar
abuse_ch
Malspam campaign sent through compromised email accounts, hitting internet users in Poland. Final is likely DanaBot.

Example spam email:
HELO: mailserv.iracknet.com
Sending IP: 62.69.66.250
From: TESCO (POLSKA) SP Z O O <nigel@ethernetcommunications.co.uk>
Subject: TESCO - kupon rabatowy NR 87713201
Attachment: Kupon_22.xls

Payload delivery URL:
http://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=

Intelligence

File Origin
# of uploads :
2
# of downloads :
747
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/139/
Detection(s):
PUA.Win.Adware.Graftor-6878643-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 07:49:47 UTC
File Type:
PE (Dll)
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3fy3lwj4prh3ozz4m6t3rk6oeagoodjovhizcqvrihgkxq4xtha._file
Verdict:
malicious
Similar samples:
14d1b1a276cc2ca724d2ad6eeb0d9090c456a3aa11ac80f977911496b3123a91
DanaBot
32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887
DanaBot
3c6d1adb8c659c6608e4fa44fe880adb352bd9e8491430b4f559604fd412e181
DanaBot
43c6a815f9651182399018a1e6b66d811028dc8c6de05a8c19813a9c2c9c1e2a
DanaBot
4bf2f4dd9ecaa28ecebae186a118cf66f8fce7ee8790351ca7224516ff47010e
DanaBot
5d65fcb03519e2de623db04685570406c586ee4d121c9381910932cf2e1bd344
DanaBot
6a50f0859a43dda14c415aba80c6f80d371e63d010ce61eb1f5ddf2f5738008e
DanaBot
956f601e9a95d749c9508735a7e07a1c0ede99a4b295ff3e520c5726b47c271e
DanaBot
a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78
DanaBot
da19555286a99fed6a4a84c0c4b76e793618299f6d4cc2fe31373ddc033d8dcc
DanaBot
+ 336 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DanaBot

Excel file xls 975c1ab8faa66f9fca5bc9d26fe63f52806b13041569cb1a4b52fecb5a314ab8

DanaBot

DLL dll b6cb8daec9e3e27dbb39e33d3dc55e7100673869754e8c8a158a0e655e1cbcce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/333096/
  
Dropped by
MD5 a8bf81dea84a669362a59ecc57b4130d
  
Dropped by
SHA256 975c1ab8faa66f9fca5bc9d26fe63f52806b13041569cb1a4b52fecb5a314ab8
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/333110/
Cape
Cape
https://www.capesandbox.com/analysis/139/
Cape
Cape
https://www.capesandbox.com/analysis/138/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::CreateWellKnownSid
advapi32.dll::GetSidSubAuthority
advapi32.dll::GetSidSubAuthorityCount
advapi32.dll::InitializeAcl
advapi32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::GetTokenInformation
advapi32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::OpenProcess
kernel32.dll::WriteProcessMemory
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
version.dll::GetFileVersionInfoSizeW
version.dll::GetFileVersionInfoW
WIN_CRYPT_APIUses Windows Crypt APIadvapi32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::FindWindowA
user32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments