MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b
SHA3-384 hash: 9717f50107370d5bc4c6cec3f59901c673b8a97d92dcaf80f22497c289d40c29f4720038e9f6f69565982667523215bd
SHA1 hash: dbbe4d0cddbf148687126090b614ee08da016cd0
MD5 hash: 6ad45fc150005d561f83955a2d4538cb
humanhash: golf-moon-carolina-berlin
File name:sdd.dll
Download: download sample
Signature DanaBot
Create hunting rule
File size:2'959'360 bytes
First seen:2021-10-24 22:47:24 UTC
Last seen:2021-10-25 00:19:07 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 38f063b8252513e444360fa25461c4a5 (1 x DanaBot)
ssdeep 49152:GVx6+py2qII/jg8UdAQD/207yVkutLLdoM+nFU95YeCczK:GSHQddJWJLdoM+FqZz
TLSH T111D57C20337AC812E163533898F7D0D49F98782199B4BCAB30827B5F14DF6D2A65976F
Reporter thepacketrat
Tags:DanaBot dll NPM-hijack

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199698/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37858251.31050.10157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Enabling the 'hidden' option for analyzed file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7226b67f-6ee1-429e-8bda-20468ef6cc3a
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/875881
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508313 Sample: sdd.dll Startdate: 25/10/2021 Architecture: WINDOWS Score: 76 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected DanaBot stealer dll 2->27 29 C2 URLs / IPs found in malware configuration 2->29 7 loaddll32.exe 2 2->7         started        process3 process4 9 rundll32.exe 1 7->9         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 1 7->15         started        17 rundll32.exe 1 7->17         started        dnsIp5 21 185.158.250.216, 443, 49743, 49744 M247GB Netherlands 9->21 31 System process connects to network (likely due to code injection or exploit) 9->31 19 rundll32.exe 1 13->19         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-24 00:49:08 UTC
AV detection:
7 of 43 (16.28%)
Threat level:
  5/5
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/211024-2q4mlsgcdk/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Danabot
Danabot Loader Component
Malware Config
C2 Extraction:
185.158.250.216:443
194.76.225.46:443
45.11.180.153:443
194.76.225.61:443
Unpacked files
SH256 hash:
5479d8c53f69f8b872eab4dd8bf88a5b03099ea84b175f4fb9209a75f160b7d1
MD5 hash:
8c5a1dfe94ad3eb56906b0803abbdaf3
SHA1 hash:
8cf7bc601a4ac23832e2ae6e7548f2129dfa06fa
Link:
https://www.unpac.me/results/4016fc54-0ed7-4faa-99ee-f936771cfaa4/
SH256 hash:
bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b
MD5 hash:
6ad45fc150005d561f83955a2d4538cb
SHA1 hash:
dbbe4d0cddbf148687126090b614ee08da016cd0
Link:
https://www.unpac.me/results/4016fc54-0ed7-4faa-99ee-f936771cfaa4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c

DanaBot

DLL dll bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b

(this sample)

  
Dropped by
SHA256 f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1707747/
Cape
Cape
https://www.capesandbox.com/analysis/199698/

Comments