danabot | 55bcab507b73fd2d184d9326b69553910c223b28e512707771818de96136c52f

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7v200430
submitted
19-05-2020 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iTBDXzF.bin.dll
Size

2.8MB
MD5

5057e9d2ca0f7b22d18d9823b99c7cba
SHA1

dd671fa5e34d5b5b7f6dc6100f746f490b83db6e
SHA256

55bcab507b73fd2d184d9326b69553910c223b28e512707771818de96136c52f
SHA512

b696e8e0e2bdfc6e78db8e5bfbc63e8e5caf0e8e67217e9e54a91ace83e5647a328b8fd64e1210cfe6394982f4a804936f19fea3fbd04e337be83e620b2df380

Score

10^/10

danabot banker trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1800 rundll32.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1080 rundll32.exe
1080 rundll32.exe
1080 rundll32.exe
1080 rundll32.exe
1032 rundll32.exe
1032 rundll32.exe
1032 rundll32.exe
1032 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1820 836 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1820 WerFault.exe
1820 WerFault.exe
1820 WerFault.exe
1820 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1820 WerFault.exe

flow	pid	process
2	1800	rundll32.exe

pid	process
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe

pid	pid_target	process	target process
1820	836	WerFault.exe	rundll32.exe

pid	process
1820	WerFault.exe
1820	WerFault.exe
1820	WerFault.exe
1820	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1820	WerFault.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1520 wrote to memory of 836	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 836	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 836	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 836	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 836	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 836	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 836	1520	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1800	836	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1800	836	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1800	836	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1800	836	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1800	836	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1800	836	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1800	836	rundll32.exe	rundll32.exe
PID 836 wrote to memory of 1820	836	rundll32.exe	WerFault.exe
PID 836 wrote to memory of 1820	836	rundll32.exe	WerFault.exe
PID 836 wrote to memory of 1820	836	rundll32.exe	WerFault.exe
PID 836 wrote to memory of 1820	836	rundll32.exe	WerFault.exe
PID 1800 wrote to memory of 1080	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1080	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1080	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1080	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1080	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1080	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1080	1800	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1032	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1032	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1032	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 1032	1080	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1608	1032	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll,f0
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\\rundll32.exe C:\PROGRA~3\41CB2DAF\25D9A6B6.dll,f1 C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll@1800
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\rundll32.exe
C:\Windows\system32\\rundll32.exe C:\PROGRA~3\41CB2DAF\25D9A6B6.dll,f1 C:\Users\Admin\AppData\Local\Temp\iTBDXzF.bin.dll@1800
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\syswow64\rundll32.exe
C:\Windows\syswow64\rundll32.exe C:\ProgramData\41CB2DAF\ECC7FE22.dll,f2 74C7F01B868E0E4656D802F87FDD489F
6⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 404
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
C:\ProgramData\41CB2DAF\7EBB4790
MD5
14555fbb39d624cc7dee8c30687f8605

SHA1
80bda003e756117801e4fe513891f96acaaa1f07

SHA256
7ed28482b04a2f9bfe882b444082ef13b0e20fbd82617be82bcf3405b210d386

SHA512
e9f128bdbd1b7d63a643deb51fbdf71f2b9ae5343e12959953a16fb445f0e19bc565eb86ff8a12c7420cd0f1bbb24c53b6b5b64ffd4da0ba2a1c8496ba949570

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
\PROGRA~3\41CB2DAF\25D9A6B6.dll
MD5
55e825c9df62635ef201fc7a75a41e03

SHA1
0c5a55711143be553adbde4702e06f9dd951ee21

SHA256
85283b40ac2a7e7539812b0809af7f84054f2877c6c503ab8cd7974e3e8962e8

SHA512
91fd0d2f5a6f0fcc42d59375a82c31804b67f44a1a01128ed19b944a7ffbf4ba6f9fdaf3a17fd0401c7334974ae575595697013bd93b84fd5ca245d3bca7ea0c

Download Submit
memory/1032-12-0x00000000028F0000-0x0000000002B6C000-memory.dmp

Filesize
2.5MB

Download
memory/1820-0-0x0000000002020000-0x0000000002031000-memory.dmp

Filesize
68KB

Download
memory/1820-1-0x00000000026D0000-0x00000000026E1000-memory.dmp

Filesize
68KB

Download