danabot | a2e04f470118a346babd55225d373f935ace92670668cc50538e668a5be144ec

General

Target

7a9ccd371d5fb68f1ab44f1082866eb6.exe
Size

2.6MB
MD5

7a9ccd371d5fb68f1ab44f1082866eb6
SHA1

dbaa4a48013bb069b07158c44cd6d63f3baace07
SHA256

a2e04f470118a346babd55225d373f935ace92670668cc50538e668a5be144ec
SHA512

f59237816e95236d38987de207bef174743faa7f35b448e026d36749a6f7abc3d515e464e8f90f7771dba7066c2db26f87621c679df03d0d8ccb8b8128a9a0a7

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

92.204.160.126

193.34.166.26

93.115.22.159

93.115.22.165

185.227.138.52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 3 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
3	3832	rundll32.exe
4	3832	rundll32.exe
5	3832	rundll32.exe
6	3832	rundll32.exe
7	3832	rundll32.exe
8	3832	rundll32.exe
10	3832	rundll32.exe
11	3832	rundll32.exe
20	3832	rundll32.exe
21	3832	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3820 regsvr32.exe
3832 rundll32.exe

pid	process
3820	regsvr32.exe
3832	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7a9ccd371d5fb68f1ab44f1082866eb6.exeregsvr32.exe

description	pid	process	target process
PID 3588 wrote to memory of 3820	3588	7a9ccd371d5fb68f1ab44f1082866eb6.exe	regsvr32.exe
PID 3588 wrote to memory of 3820	3588	7a9ccd371d5fb68f1ab44f1082866eb6.exe	regsvr32.exe
PID 3588 wrote to memory of 3820	3588	7a9ccd371d5fb68f1ab44f1082866eb6.exe	regsvr32.exe
PID 3820 wrote to memory of 3832	3820	regsvr32.exe	rundll32.exe
PID 3820 wrote to memory of 3832	3820	regsvr32.exe	rundll32.exe
PID 3820 wrote to memory of 3832	3820	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7a9ccd371d5fb68f1ab44f1082866eb6.exe
"C:\Users\Admin\AppData\Local\Temp\7a9ccd371d5fb68f1ab44f1082866eb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\7A9CCD~1.EXE@3588
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL
MD5
ba5bcacdd2930de8898da02eb76bd9d1

SHA1
2d6cdd794b651a92753113b58139957635efea7c

SHA256
a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78

SHA512
b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27

Download Submit
\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL
MD5
ba5bcacdd2930de8898da02eb76bd9d1

SHA1
2d6cdd794b651a92753113b58139957635efea7c

SHA256
a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78

SHA512
b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27

Download Submit
\Users\Admin\AppData\Local\Temp\7A9CCD~1.DLL
MD5
ba5bcacdd2930de8898da02eb76bd9d1

SHA1
2d6cdd794b651a92753113b58139957635efea7c

SHA256
a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78

SHA512
b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27

Download Submit
memory/3588-1-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3820-2-0x0000000000000000-mapping.dmp

Download
memory/3832-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads