Overview

overview

10

Static

static

SecuriteIn...39.exe

windows7_x64

10

SecuriteIn...39.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    54s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    25-06-2020 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Danabot.2.3619.11339.exe

  • Size

    920KB

  • MD5

    aa9d791d36be565f6d537f34f0ed9f6e

  • SHA1

    bab4cf9b752885788d4f07c42a5dcca42b1193b6

  • SHA256

    e444e98ee06dc0e26cae8aa57a0cddab7b050db22d3002bd2b0da47d4fd5d78c

  • SHA512

    cab24f89b5172827fb0fd31e9d97fc3879fdbf3e9c19f8de8147f7ebdf95373c1e56acc5a5fa2c9dc5c46c73007f1520ee62f45b84ac5a3795c7b2d24326c5f5

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

45.11.183.43

185.101.92.195

185.101.92.201
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 4 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Danabot.2.3619.11339.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Danabot.2.3619.11339.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@3656
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    3adeb8722fc17162202c93aba62a0148

    SHA1

    675e1a27bcb75a99cfd0347cc28a78e6965c352c

    SHA256

    4471c864eca1949f2401a991e64639c53e30cd4582ffee12103a6607a5a79fc1

    SHA512

    4956240237ee6eb99b611ad917c1d620825ab627d386a0369f5f88a698d624e438ef732976a4050d33773d5734e064cf5c50f22b703428b3a3ad085711dfc947

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    3adeb8722fc17162202c93aba62a0148

    SHA1

    675e1a27bcb75a99cfd0347cc28a78e6965c352c

    SHA256

    4471c864eca1949f2401a991e64639c53e30cd4582ffee12103a6607a5a79fc1

    SHA512

    4956240237ee6eb99b611ad917c1d620825ab627d386a0369f5f88a698d624e438ef732976a4050d33773d5734e064cf5c50f22b703428b3a3ad085711dfc947

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    3adeb8722fc17162202c93aba62a0148

    SHA1

    675e1a27bcb75a99cfd0347cc28a78e6965c352c

    SHA256

    4471c864eca1949f2401a991e64639c53e30cd4582ffee12103a6607a5a79fc1

    SHA512

    4956240237ee6eb99b611ad917c1d620825ab627d386a0369f5f88a698d624e438ef732976a4050d33773d5734e064cf5c50f22b703428b3a3ad085711dfc947

    Download Submit
  • \Users\Admin\AppData\Local\Temp\SECURI~1.DLL
    MD5

    3adeb8722fc17162202c93aba62a0148

    SHA1

    675e1a27bcb75a99cfd0347cc28a78e6965c352c

    SHA256

    4471c864eca1949f2401a991e64639c53e30cd4582ffee12103a6607a5a79fc1

    SHA512

    4956240237ee6eb99b611ad917c1d620825ab627d386a0369f5f88a698d624e438ef732976a4050d33773d5734e064cf5c50f22b703428b3a3ad085711dfc947

    Download Submit
  • memory/516-0-0x0000000000000000-mapping.dmp
    Download
  • memory/656-4-0x0000000000000000-mapping.dmp
    Download