MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb2e7b341aa7b7c75e148ca1b4eff2997626655e1d06329598d5a2c3be91f18a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb2e7b341aa7b7c75e148ca1b4eff2997626655e1d06329598d5a2c3be91f18a
SHA3-384 hash: 8bfdfde30880897d0b8b5b6fd624f06236956e3596f245ca96ceb2574e9eb599ca2688a412496924a7b1c6db52e1bebe
SHA1 hash: d7f2810c65c58847696f0c18e5fb304a7f106f8d
MD5 hash: e89bd687b7a33144bcbec0c467783439
humanhash: blossom-grey-sweet-leopard
File name:e89bd687b7a33144bcbec0c467783439.dll
Download: download sample
Signature DanaBot
Create hunting rule
File size:2'588'672 bytes
First seen:2021-10-29 08:08:05 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c333dd14729fed1bd2b9dd15a112d68d (1 x DanaBot)
ssdeep 49152:qgZziYT3//Yjt2Z/fZMdzUAOC5n+LlrxFTGWcKq:q0ziYToB2Z/f6AAOGarxFTGjv
Threatray 6 similar samples on MalwareBazaar
TLSH T192C54C2033B69812F273133598F3D0E09ED8BD6299B4AD4B70C23B5F049F6D29A5975E
Reporter abuse_ch
Tags:DanaBot dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/818dc639-de9e-4d61-9795-4238a459e8a6
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/879150
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511581 Sample: fGFzuI6WqT.dll Startdate: 29/10/2021 Architecture: WINDOWS Score: 76 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected DanaBot stealer dll 2->27 29 C2 URLs / IPs found in malware configuration 2->29 7 loaddll32.exe 2 2->7         started        process3 process4 9 rundll32.exe 1 7->9         started        12 rundll32.exe 1 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 1 7->17         started        dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 21 185.158.250.216, 443, 49747, 49748 M247GB Netherlands 12->21 19 rundll32.exe 1 15->19         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb2e7b341aa7b7c75e148ca1b4eff2997626655e1d06329598d5a2c3be91f18a/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2021-10-29 08:09:05 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmxhwna2u634oxqursq3j37stf3cmzk6duddffmy2wrmhpur6gfa._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2203d02a6aa593c823a8ad01a2b9fe25bd224832d04af253c7c1d0412d591756
DanaBot
2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
DanaBot
5ca2a5d2ec7cee822027375ef676891f3501dad244c504807b9daa6d87cf0ac1
DanaBot
6901d27fd099c6211ec944208df34dc1b75cfffb994bc84e9eeadb9b7c183166
DanaBot
c7518bcebe1116c9972db08a2fe2461351e21cb65e7659cd806324364bfea2df
DanaBot
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211029-j1l67shfdn/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
185.158.250.216:443
194.76.225.46:443
45.11.180.153:443
194.76.225.61:443
Unpacked files
SH256 hash:
f6a668a4523a479153157fb8ff50bded1cf64669679cc6437f3e8b6e7e508f94
MD5 hash:
7bde92fcb01bb27335c482729d6b8e7d
SHA1 hash:
6b626eb3e30cde93e09775f2c495b52998d8d441
Link:
https://www.unpac.me/results/b5611e01-ac72-460a-8bc2-d38b1384a6a0/
SH256 hash:
bb2e7b341aa7b7c75e148ca1b4eff2997626655e1d06329598d5a2c3be91f18a
MD5 hash:
e89bd687b7a33144bcbec0c467783439
SHA1 hash:
d7f2810c65c58847696f0c18e5fb304a7f106f8d
Link:
https://www.unpac.me/results/b5611e01-ac72-460a-8bc2-d38b1384a6a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb2e7b341aa7b7c75e148ca1b4eff2997626655e1d06329598d5a2c3be91f18a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

DLL dll bb2e7b341aa7b7c75e148ca1b4eff2997626655e1d06329598d5a2c3be91f18a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1707747/
  
Delivery method
Distributed via web download

Comments