MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5faba20007266314cf176b9e49ccbc35c3fd2b0982fcd73f7b5794539b42e89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	d5faba20007266314cf176b9e49ccbc35c3fd2b0982fcd73f7b5794539b42e89
SHA3-384 hash:	7ac3331c55f8fbf0e0330fb79cd019d5897cfa61bc16747aed1202b66378a55abc8e5accf37de28fa883d50abd3cc0c4
SHA1 hash:	099629a545b4c01401f779e3d0e1a5ed452ddaac
MD5 hash:	2470b220c0efaa397d6aeea18abdb0bb
humanhash:	mockingbird-alanine-arizona-glucose
File name:	2470b220c0efaa397d6aeea18abdb0bb.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'170'432 bytes
First seen:	2022-03-05 18:21:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fb47a0c49571b404f0af055a9f8d98c4 (1 x Smoke Loader, 1 x DanaBot)
ssdeep	24576:R8PaxNrmX7xzc+60sQ0FORcA5+JcxH8veLj80eDY:Ry77RV1/RcbJkI4jbE
Threatray	9'847 similar samples on MalwareBazaar
TLSH	T169450200B6A0D039F0B746F8797AC3ADB12D7EA15B3058CF62D93ADA16342E5DD7121B
File icon (PE):
dhash icon	2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

567

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/247564/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Launching a process

Sending an HTTP GET request

Sending a custom TCP request

DNS request

Creating a file in the %temp% directory

Сreating synchronization primitives

Unauthorized injection to a system process

Sending a TCP request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/8307/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DanaBot

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6af7cae6-58fa-48df-b4a2-cfd7bbf3e424

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/951238

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5faba20007266314cf176b9e49ccbc35c3fd2b0982fcd73f7b5794539b42e89/

Threat name:

Win32.Trojan.DllCheck

Status:

Malicious

First seen:

2022-03-05 09:48:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Verdict:

malicious

DanaBot

2f43972540a6cae0eb4e50d142860bdc278b44b9b4606747c58e19383efa82f5

DanaBot

3b9cd0cbd0216c7880e6edbf90c8c98d0800f7a562c3a845559b3375dfa09f8f

DanaBot

532e3e9ec546f0030d3fef0bddc224f868c55bb00d1914cdb7157a3e74f5bd28

DanaBot

576ddf77b8b7a0685f8619125f16bbaebd35b38caf08c5ef6ea19be5a080125b

DanaBot

69f4f29d3eb2f05d7b7f4f736375765b7ed97d0948460adb95ad134b1f54a880

DanaBot

6e33bb5afea750c9d310218cf18796b7e1754332684bf92806ccba081bcc5a69

DanaBot

97a1dadc6e1ccaa807240649c63f175169b0badaf65be530e98ad7790d69fc1e

DanaBot

a0bc490c4a5263a90e83476958a538d960a94437432c4561008a6c9bb4af2b17

DanaBot

+ 9'837 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/220305-wzxb1aaefk/

Behaviour

Checks processor information in registry

Suspicious use of WriteProcessMemory

Program crash

Blocklisted process makes network request

suricata: ET MALWARE Danabot Key Exchange Request

Unpacked files

SH256 hash:

a1463f0a76b962e3971f477e18b4ff916746d2bdba8fd7cfd2172e22ee7bd4a0

MD5 hash:

7b0055f030e8c20c5900b414f43e2fbc

SHA1 hash:

35c8d541f008b1a73b4f01ba4297efdbd7abd80c

Link:

https://www.unpac.me/results/08011a30-d2a7-4d61-8c38-cdc6523cca26/

SH256 hash:

d5faba20007266314cf176b9e49ccbc35c3fd2b0982fcd73f7b5794539b42e89

MD5 hash:

2470b220c0efaa397d6aeea18abdb0bb

SHA1 hash:

099629a545b4c01401f779e3d0e1a5ed452ddaac

Link:

https://www.unpac.me/results/08011a30-d2a7-4d61-8c38-cdc6523cca26/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5faba20007266314cf176b9e49ccbc35c3fd2b0982fcd73f7b5794539b42e89

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe d5faba20007266314cf176b9e49ccbc35c3fd2b0982fcd73f7b5794539b42e89

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2076755/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/247564/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample