danabot | 5137839a49af8a01ab62a213c963ad63c77dcfda6b107d46709aecebe3c4f415

Analysis

max time kernel
127s
max time network
120s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
Size

2.7MB
MD5

d1ad5859f4298afb39f9747460c9f499
SHA1

22b1e4142b34c3113772c31fe991c924c17ffaec
SHA256

5137839a49af8a01ab62a213c963ad63c77dcfda6b107d46709aecebe3c4f415
SHA512

be41fc0005263508df8020da14108bd46ab0938fa712e8222c43c5349f36d42296d97858eb610cb4af3cac24d056f16fc3a118d933f57dba979fc2735e2a45e2

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

92.204.160.126

195.133.147.230

185.136.167.253

46.19.136.203

45.138.172.157

185.227.138.52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 5 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral2/files/0x000200000001ad84-3.dat	family_danabot
behavioral2/files/0x000200000001ad84-4.dat	family_danabot
behavioral2/files/0x000200000001ad84-5.dat	family_danabot
behavioral2/files/0x000200000001ad84-8.dat	family_danabot
behavioral2/files/0x000200000001ad84-7.dat	family_danabot

Blocklisted process makes network request 10 IoCs

flow	pid	Process
1	3036	rundll32.exe
2	3036	rundll32.exe
3	3036	rundll32.exe
4	3036	rundll32.exe
5	3036	rundll32.exe
7	3036	rundll32.exe
8	3036	rundll32.exe
9	3036	rundll32.exe
10	3036	rundll32.exe
11	3036	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
3052	regsvr32.exe
3052	regsvr32.exe
3036	rundll32.exe
3036	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3052	384	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	68
PID 384 wrote to memory of 3052	384	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	68
PID 384 wrote to memory of 3052	384	SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe	68
PID 3052 wrote to memory of 3036	3052	regsvr32.exe	69
PID 3052 wrote to memory of 3036	3052	regsvr32.exe	69
PID 3052 wrote to memory of 3036	3052	regsvr32.exe	69

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@384
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-1-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download