MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 12


Intelligence 12 IOCs YARA 37 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe
SHA3-384 hash: e00d72f0199acf4b716280c18a4bd1fd89c9ccd8d3e476525f5a4fb55ff5ddcab1468ead919065b28fad47886fe38a3c
SHA1 hash: 2d2a59aca3fab38cad731d1a6398af86f3ee165d
MD5 hash: 84847c31f1bc2d9067eaf850b753bf55
humanhash: music-bakerloo-carpet-rugby
File name:Hqeyair.dll
Download: download sample
Signature DanaBot
Create hunting rule
File size:10'721'792 bytes
First seen:2024-03-26 01:57:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34e13b8d4d75c780ac5e3ef2858082c (1 x DanaBot)
ssdeep 98304:2/d01v8YP37/ABdF3R1aw4S5BC19iHWl7NjJkcq/rywXwIS7Hnof:I01v8EL/AnF7aw4S5BCm8Dq/OUoo
TLSH T119B66B7F32A4C26DC26EC17BC1A38F54E53371B51B32C6FB42A502A45F029C59E7E6A4
TrID 77.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
14.1% (.EXE) Win64 Executable (generic) (10523/12/4)
2.7% (.EXE) OS/2 Executable (generic) (2029/13)
2.7% (.EXE) Generic Win/DOS Executable (2002/3)
2.6% (.EXE) DOS Executable Generic (2000/1)
Reporter Brad_malware
Tags:DanaBot exe


Avatar
malware_traffic
Run method: rundll32 [filename],start

Intelligence

File Origin
# of uploads :
1
# of downloads :
449
Origin country :
US US
Vendor Threat Intelligence
Malware family:
danabot
Create hunting rule
ID:
1
File name:
Hqeyair.dll
Verdict:
Malicious activity
Analysis date:
2024-03-26 01:50:34 UTC
Tags:
danabot stealer danabot-unpacked
Link:
https://app.any.run/tasks/ef4a3d1d-9c1d-411f-b7fb-c6b40b2c1c16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Creating a process with a hidden window
Connection attempt
Searching for synchronization primitives
Sending a custom TCP request
Reading critical registry keys
Adding a root certificate
Setting a new proxy server as a default one
Enabling the use of the proxy server
Creating a file in the %AppData% subdirectories
Changing a file
Creating a file in the %temp% directory
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Changing critical settings of the Internet Explorer browser
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm certutil evasive explorer extrac32 fingerprint keylogger lolbin masquerade rasautou rundll32
Link:
https://www.filescan.io/uploads/66022bac5ae25e8d7243b98e/reports/6f3b10a3-1016-4c01-8ece-ac679dd9eebc/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/290c63af-9ae6-4f1b-83bf-f79dbfb1a2c5
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1415547
Signature
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1415547 Sample: Hqeyair.dll.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 68 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected DanaBot stealer dll 2->39 8 loaddll64.exe 3 2->8         started        process3 signatures4 41 May use the Tor software to hide its network traffic 8->41 11 rundll32.exe 1 2 8->11         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 2 8->17         started        19 6 other processes 8->19 process5 dnsIp6 31 34.66.104.146, 443, 49745, 49756 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 11->31 33 8.215.11.96, 443, 49747, 49758 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 11->33 35 2 other IPs or domains 11->35 43 System process connects to network (likely due to code injection or exploit) 11->43 21 rundll32.exe 2 15->21         started        23 WerFault.exe 20 16 17->23         started        25 WerFault.exe 16 19->25         started        27 WerFault.exe 19->27         started        signatures7 process8 process9 29 WerFault.exe 18 21->29         started       
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-03-26 01:59:08 UTC
File Type:
PE+ (Dll)
Extracted files:
14
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6s3yhtmbvyhlu4ru4csnctkhzaj3b2gbrmoy5mao3jwte24mn67a._file
Verdict:
unknown
Result
Malware family:
danabot
Create hunting rule
Score:
  10/10
Tags:
family:danabot banker trojan
Link:
https://tria.ge/reports/240326-cdt5zaed8v/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Danabot
Unpacked files
SH256 hash:
f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe
MD5 hash:
84847c31f1bc2d9067eaf850b753bf55
SHA1 hash:
2d2a59aca3fab38cad731d1a6398af86f3ee165d
Link:
https://www.unpac.me/results/52e48868-a676-4cfd-b6d8-1feadc1ee8c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4b783cd81ae0eba7234e0a4d14d47c813b0e8c18b1d8eb00eda6d326b8c6fbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DanaBot_12_2023
Create hunting rule
Author:RussianPanda
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:MALWARE_Win_DanaBot
Create hunting rule
Author:ditekSHen
Description:Detects DanaBot variants
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:possible_trojan_banker
Create hunting rule
Author:@johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Generic_Threat_54ccad4d
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileMappingW
kernel32.dll::CreateFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::QueryDosDeviceW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryInfoKeyW
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::OpenClipboard

Comments