MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089
SHA3-384 hash: dafbbccb7537e5e57c4599b07042c146bb7fd4a72d285e277be93952a55b61d859c89dc6a12cfc29cfe55e7f6a502a37
SHA1 hash: 14d1344ebd6050da85ad49638cc1ab960af07f79
MD5 hash: 1b1154983d2958cc961932378e41a65c
humanhash: georgia-social-delta-queen
File name:e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089
Download: download sample
Signature DanaBot
Create hunting rule
File size:13'643'776 bytes
First seen:2025-01-28 07:52:01 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:4MsY4j7V+tIQmehkduAq5BEFCSY4b6Dl:3lKV+yghkdlq5BZSY48l
Threatray 45 similar samples on MalwareBazaar
TLSH T10FD6231FA58B7031C27B46B6C1D65379493A5E0ACF9685B3B2E2BCD90A3D4E22D71133
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:5-253-59-205 booking DanaBot msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.27584.13718.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67988e6a09fca627796393b4
Tags:
shellcode emotet fraud virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto expand fingerprint fingerprint installer keylogger lolbin msbuild packed wix
Link:
https://www.filescan.io/uploads/67988caf85aac483f389b645/reports/abcdb199-24ab-4077-9ef5-32a43ed4c5dd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1601020
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1601020 Sample: EouePQjNCj.msi Startdate: 28/01/2025 Architecture: WINDOWS Score: 80 49 tse1.mm.bing.net 2->49 51 mm-mm.bing.net.trafficmanager.net 2->51 53 ax-0001.ax-msedge.net 2->53 55 Antivirus detection for dropped file 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 2 other signatures 2->61 10 msiexec.exe 86 32 2->10         started        13 msiexec.exe 5 2->13         started        signatures3 process4 file5 43 C:\Windows\Installer\MSICA52.tmp, PE32 10->43 dropped 45 C:\Windows\Installer\MSI1A98.tmp, PE32 10->45 dropped 47 C:\Windows\Installer\MSI1874.tmp, PE32 10->47 dropped 15 msiexec.exe 1 5 10->15         started        process6 process7 17 expand.exe 4 15->17         started        20 der_ROG_Bayhub_B_V2.1.101.10580_28773.exe 15->20         started        23 icacls.exe 1 15->23         started        25 2 other processes 15->25 file8 39 der_ROG_Bayhub_B_V...80_28773.exe (copy), PE32 17->39 dropped 41 C:\...\b3e26fd7cc0da0488e05d673a0446506.tmp, PE32 17->41 dropped 27 conhost.exe 17->27         started        63 May use the Tor software to hide its network traffic 20->63 29 MSBuild.exe 2 20->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started       
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e884a3b3ef639d3ef869f1001f6e5e83c017197c6abb8ddcd917ff0fec2dc089/
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2025-01-12 23:32:22 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cckhm7pmoot56dj6eab63s6qpabogl4nk5y3xgzc77q73bnyceq._file
Verdict:
malicious
Label(s):
danabot
Create hunting rule
Similar samples:
0789167a083f16debc270fa324e5f4d6b07a4519e4aef9e2d1c99394ca4d62c8
DanaBot
255262d443f57a58458117d1186b48f70cf884a2f8fa3e49f9c5d38ae67c4659
DanaBot
2ef2d5e126c0508e5a8d9d4d9fa08d60d4987b4ca401a8d2d62c89a8ef4bcc0f
DanaBot
4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183
DanaBot
6439ae79c2200a8d382dd24457aa9f15ddbcf4a3daa6be308d3d194570b8e1a7
DanaBot
68387cba37fa58eeab0ae343b68b5d135c9025767eae462c73fccf33667ea974
DanaBot
8e6ae3b356d2205296fec0761daa461a311190e50e0e611699ebb4aad6e6cd77
DanaBot
cdfcffceff42c4134d2e41f0bde414abe7a4b7e0480c8f4294ebca0b4ab9af24
DanaBot
error
DanaBot
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250128-jqedlsspcp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Enumerates connected drives
Modifies file permissions
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7ebf3032-5d5c-40fd-a92d-42af27faee6b
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e884a3b3ef63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments