danabot | 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e

General

Target

9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe
Size

2.6MB
MD5

b12860db0af66cd54096834f586a31f7
SHA1

0407873ba5b9312f6f5d3a657721f054a74f4d87
SHA256

9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e
SHA512

0a252da57e3d104cb4f004cfb1faec931f110146804a04d6753579e7db2eeb007470bc9ec275daace4b133a10536340a291829cae977c57aa946cf661533203f

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

137.74.66.92

185.227.138.52

192.236.146.249

172.93.201.168

193.34.166.244

23.83.133.10

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
3	2196	rundll32.exe
6	2196	rundll32.exe
7	2196	rundll32.exe
10	2196	rundll32.exe
11	2196	rundll32.exe
12	2196	rundll32.exe
13	2196	rundll32.exe
15	2196	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2140 regsvr32.exe
2140 regsvr32.exe
2196 rundll32.exe

pid	process
2140	regsvr32.exe
2140	regsvr32.exe
2196	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exeregsvr32.exe

description	pid	process	target process
PID 2040 wrote to memory of 2140	2040	9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe	regsvr32.exe
PID 2040 wrote to memory of 2140	2040	9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe	regsvr32.exe
PID 2040 wrote to memory of 2140	2040	9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe	regsvr32.exe
PID 2140 wrote to memory of 2196	2140	regsvr32.exe	rundll32.exe
PID 2140 wrote to memory of 2196	2140	regsvr32.exe	rundll32.exe
PID 2140 wrote to memory of 2196	2140	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe
"C:\Users\Admin\AppData\Local\Temp\9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.EXE@2040
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL

MD5
0416e479b158a2231a0d9c34b451d03a

SHA1
1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

SHA256
64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

SHA512
ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

Download Submit
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL

MD5
0416e479b158a2231a0d9c34b451d03a

SHA1
1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

SHA256
64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

SHA512
ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

Download Submit
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL

MD5
0416e479b158a2231a0d9c34b451d03a

SHA1
1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

SHA256
64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

SHA512
ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

Download Submit
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL

MD5
0416e479b158a2231a0d9c34b451d03a

SHA1
1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

SHA256
64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

SHA512
ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

Download Submit
memory/2040-1-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2140-2-0x0000000000000000-mapping.dmp

Download
memory/2196-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads