danabot | 5137839a49af8a01ab62a213c963ad63c77dcfda6b107d46709aecebe3c4f415

General

Target

SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
Size

2.7MB
MD5

d1ad5859f4298afb39f9747460c9f499
SHA1

22b1e4142b34c3113772c31fe991c924c17ffaec
SHA256

5137839a49af8a01ab62a213c963ad63c77dcfda6b107d46709aecebe3c4f415
SHA512

be41fc0005263508df8020da14108bd46ab0938fa712e8222c43c5349f36d42296d97858eb610cb4af3cac24d056f16fc3a118d933f57dba979fc2735e2a45e2

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

92.204.160.126

195.133.147.230

185.136.167.253

46.19.136.203

45.138.172.157

185.227.138.52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
1	1500	rundll32.exe
2	1500	rundll32.exe
3	1500	rundll32.exe
4	1500	rundll32.exe
5	1500	rundll32.exe
6	1500	rundll32.exe
7	1500	rundll32.exe
8	1500	rundll32.exe
9	1500	rundll32.exe
10	1500	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1408 regsvr32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe
1500 rundll32.exe

pid	process
1408	regsvr32.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe
1500	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exeregsvr32.exe

description	pid	process	target process
PID 904 wrote to memory of 1408	904	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	regsvr32.exe
PID 904 wrote to memory of 1408	904	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	regsvr32.exe
PID 904 wrote to memory of 1408	904	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	regsvr32.exe
PID 904 wrote to memory of 1408	904	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	regsvr32.exe
PID 904 wrote to memory of 1408	904	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	regsvr32.exe
PID 904 wrote to memory of 1408	904	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	regsvr32.exe
PID 904 wrote to memory of 1408	904	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	regsvr32.exe
PID 1408 wrote to memory of 1500	1408	regsvr32.exe	rundll32.exe
PID 1408 wrote to memory of 1500	1408	regsvr32.exe	rundll32.exe
PID 1408 wrote to memory of 1500	1408	regsvr32.exe	rundll32.exe
PID 1408 wrote to memory of 1500	1408	regsvr32.exe	rundll32.exe
PID 1408 wrote to memory of 1500	1408	regsvr32.exe	rundll32.exe
PID 1408 wrote to memory of 1500	1408	regsvr32.exe	rundll32.exe
PID 1408 wrote to memory of 1500	1408	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@904
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
748939fa8e8c5f556cecf7fc9f7d5232

SHA1
debccbb78f3d4fbe659ad765edb71b091d412898

SHA256
bfc5b48d750fdf57bc65762c4f6834880af85f6781471ce07dd407c3cb8d1cc1

SHA512
940c705039c8e65a646e6d82fa7dbe92290c11b128707d4630575149ea57e1d899c9b9fe644fc15f78e8e5bd9c71c82b0320a02ca22990a8d2b5aae5f796a1af

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
748939fa8e8c5f556cecf7fc9f7d5232

SHA1
debccbb78f3d4fbe659ad765edb71b091d412898

SHA256
bfc5b48d750fdf57bc65762c4f6834880af85f6781471ce07dd407c3cb8d1cc1

SHA512
940c705039c8e65a646e6d82fa7dbe92290c11b128707d4630575149ea57e1d899c9b9fe644fc15f78e8e5bd9c71c82b0320a02ca22990a8d2b5aae5f796a1af

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
748939fa8e8c5f556cecf7fc9f7d5232

SHA1
debccbb78f3d4fbe659ad765edb71b091d412898

SHA256
bfc5b48d750fdf57bc65762c4f6834880af85f6781471ce07dd407c3cb8d1cc1

SHA512
940c705039c8e65a646e6d82fa7dbe92290c11b128707d4630575149ea57e1d899c9b9fe644fc15f78e8e5bd9c71c82b0320a02ca22990a8d2b5aae5f796a1af

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
748939fa8e8c5f556cecf7fc9f7d5232

SHA1
debccbb78f3d4fbe659ad765edb71b091d412898

SHA256
bfc5b48d750fdf57bc65762c4f6834880af85f6781471ce07dd407c3cb8d1cc1

SHA512
940c705039c8e65a646e6d82fa7dbe92290c11b128707d4630575149ea57e1d899c9b9fe644fc15f78e8e5bd9c71c82b0320a02ca22990a8d2b5aae5f796a1af

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
748939fa8e8c5f556cecf7fc9f7d5232

SHA1
debccbb78f3d4fbe659ad765edb71b091d412898

SHA256
bfc5b48d750fdf57bc65762c4f6834880af85f6781471ce07dd407c3cb8d1cc1

SHA512
940c705039c8e65a646e6d82fa7dbe92290c11b128707d4630575149ea57e1d899c9b9fe644fc15f78e8e5bd9c71c82b0320a02ca22990a8d2b5aae5f796a1af

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
748939fa8e8c5f556cecf7fc9f7d5232

SHA1
debccbb78f3d4fbe659ad765edb71b091d412898

SHA256
bfc5b48d750fdf57bc65762c4f6834880af85f6781471ce07dd407c3cb8d1cc1

SHA512
940c705039c8e65a646e6d82fa7dbe92290c11b128707d4630575149ea57e1d899c9b9fe644fc15f78e8e5bd9c71c82b0320a02ca22990a8d2b5aae5f796a1af

Download Submit
memory/904-0-0x0000000003690000-0x0000000003907000-memory.dmp

Filesize
2.5MB

Download
memory/904-1-0x0000000003910000-0x0000000003921000-memory.dmp

Filesize
68KB

Download
memory/1408-2-0x0000000000000000-mapping.dmp

Download
memory/1500-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads