MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef78a7edac0d62cfb157cb652cad5282b020484fdb580ccb09a0ab321296f136. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef78a7edac0d62cfb157cb652cad5282b020484fdb580ccb09a0ab321296f136
SHA3-384 hash: 2dde2f02e17d69a2401488dfabc61089e2491d5fc12db00a8192a3680e1ab7182079aa34bd201d3f31bb129cc26a576f
SHA1 hash: e237dfffc5405c9dc242958cf89e0d05fc45fd41
MD5 hash: 9eaaf83b7a39a32b20bcf11f89e5e241
humanhash: speaker-bluebird-stairway-kitten
File name:da.dll
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'079'680 bytes
First seen:2022-07-06 13:07:54 UTC
Last seen:2022-07-13 12:16:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c4e7526e422a3f9d69ad327c40cf983c (1 x DanaBot)
ssdeep 49152:FTOwNbl7owpd1kpCiMYqudpWrryM33SHGOYoEnjDgKAPzXjQHIT7PlaT:DNbl7J/1k1FTbWrmG3SQoEnjsZbzQoP
Threatray 12'908 similar samples on MalwareBazaar
TLSH T118E51261F4B5A7BBE67399372A98DF4198159E92CE0A42F7C2C4E0BD00F44237E1CD66
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4505/5/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0081828080828000 (1 x DanaBot)
Reporter 0x746f6d6669
Tags:DanaBot dll

Intelligence

File Origin
# of uploads :
3
# of downloads :
474
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285148/
Detection(s):
SecuriteInfo.com.Variant.Lazy.202526.8255.3980.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Creating a process with a hidden window
Creating a window
DNS request
Creating a file in the system32 subdirectories
Creating a file in the Program Files subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c58938a9394d642149a2fb/reports/42dfdf95-4dfe-43b3-a40e-53afb051c069/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0ab5d89-5c0f-4e70-ae87-ce90863627d5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1025605
Signature
Contains functionality to detect sleep reduction / modifications
May use the Tor software to hide its network traffic
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 658108 Sample: da.dll Startdate: 06/07/2022 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected UAC Bypass using CMSTP 2->54 56 May use the Tor software to hide its network traffic 2->56 8 loaddll32.exe 1 2->8         started        process3 signatures4 58 Tries to evade debugger and weak emulator (self modifying code) 8->58 60 Tries to detect virtualization through RDTSC time measurements 8->60 62 Contains functionality to detect sleep reduction / modifications 8->62 11 rundll32.exe 8 21 8->11         started        16 rundll32.exe 8->16         started        18 rundll32.exe 8->18         started        20 2 other processes 8->20 process5 dnsIp6 46 142.11.210.110, 443, 49768, 49782 HOSTWINDSUS United States 11->46 48 192.236.179.92, 443, 49767, 49771 HOSTWINDSUS United States 11->48 50 5 other IPs or domains 11->50 44 C:\Users\user\AppData\...\Proarqtatqfw.tmp, DOS 11->44 dropped 64 System process connects to network (likely due to code injection or exploit) 11->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->66 68 Tries to steal Instant Messenger accounts or passwords 11->68 70 4 other signatures 11->70 22 schtasks.exe 11->22         started        24 schtasks.exe 11->24         started        26 rundll32.exe 11->26         started        28 WerFault.exe 2 9 16->28         started        30 WerFault.exe 16->30         started        32 WerFault.exe 9 18->32         started        34 WerFault.exe 18->34         started        36 rundll32.exe 20->36         started        file7 signatures8 process9 process10 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 WerFault.exe 23 9 36->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef78a7edac0d62cfb157cb652cad5282b020484fdb580ccb09a0ab321296f136/
Threat name:
Win32.Trojan.DanaBot
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 12:10:06 UTC
File Type:
PE (Dll)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=554kp3nmbvrm7mkxznsszlksqkycascp3nmazsyjucvteeuw6e3a._file
Verdict:
malicious
Similar samples:
0f8d2648166184bde6562f33b7e4b620313fe7a21746720d37594213fba7a604
DanaBot
11d70988c6bb7174dd4050db008c278920f14cbfa54920655ad1bdbaee082700
DanaBot
5388b531f6d52bb164dbb60d11e016b0ce99edbd71b98422061f641dbedb242e
DanaBot
6ee73d5e4fa4954957aad95443756f9be8fc1423cb7e83aad87048f7d2d970c0
DanaBot
a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
DanaBot
bbefd006263022389bbcd69a68a8d894edf503dbb303b2da0870f365dcdf8287
DanaBot
d803474f276d6a116f53136d486a257bf6414a5c4393aa83793bc77a4124afd2
DanaBot
+ 12'898 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220706-qc7xbsdagn/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
b75f62b06c9559f14a96cfaf45ac752abe93ade5d7e7c01ab9d772891fb941b8
MD5 hash:
dd69f3ddb4eec58cedd1f9eae07e2ce1
SHA1 hash:
2725498ffeaf111b5eff82a87a19de6760f31cde
Link:
https://www.unpac.me/results/8fe8268e-c97a-49a9-baed-ce177d35b968/
SH256 hash:
ef78a7edac0d62cfb157cb652cad5282b020484fdb580ccb09a0ab321296f136
MD5 hash:
9eaaf83b7a39a32b20bcf11f89e5e241
SHA1 hash:
e237dfffc5405c9dc242958cf89e0d05fc45fd41
Link:
https://www.unpac.me/results/8fe8268e-c97a-49a9-baed-ce177d35b968/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ef78a7edac0d62cfb157cb652cad5282b020484fdb580ccb09a0ab321296f136

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:win_danabot
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot
Rule name:win_danabot_cdf38827
Create hunting rule
Author:Johannes Bader
Description:detects DanaBot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285148/

Comments