Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    29-06-2020 10:28

General

  • Target

    9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe

  • Size

    2.6MB

  • MD5

    b12860db0af66cd54096834f586a31f7

  • SHA1

    0407873ba5b9312f6f5d3a657721f054a74f4d87

  • SHA256

    9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e

  • SHA512

    0a252da57e3d104cb4f004cfb1faec931f110146804a04d6753579e7db2eeb007470bc9ec275daace4b133a10536340a291829cae977c57aa946cf661533203f

Malware Config

Extracted

Family

danabot

C2

137.74.66.92

185.227.138.52

192.236.146.249

172.93.201.168

193.34.166.244

23.83.133.10

rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload 4 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Blocklisted process makes network request 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe
    "C:\Users\Admin\AppData\Local\Temp\9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.EXE@2040
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL
    MD5

    0416e479b158a2231a0d9c34b451d03a

    SHA1

    1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

    SHA256

    64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

    SHA512

    ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

  • \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL
    MD5

    0416e479b158a2231a0d9c34b451d03a

    SHA1

    1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

    SHA256

    64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

    SHA512

    ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

  • \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL
    MD5

    0416e479b158a2231a0d9c34b451d03a

    SHA1

    1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

    SHA256

    64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

    SHA512

    ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

  • \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL
    MD5

    0416e479b158a2231a0d9c34b451d03a

    SHA1

    1b3318b838a70ae3807d19c019a73fd9ae2bf6c2

    SHA256

    64e9c2f91efb0c7071c79893b555cec3dee00d404e0118c676e15c83989e845a

    SHA512

    ce9711f9e8302fc2aa4371c8f27d747d3d49382977c14fa693ee84df7be2c36f52c3547ea85a5047166feb8849184a24822ef23fd8cf756d943a21dc65e1d34a

  • memory/2040-1-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
    Filesize

    4KB

  • memory/2140-2-0x0000000000000000-mapping.dmp
  • memory/2196-6-0x0000000000000000-mapping.dmp