danabot | 7a5bff709af4ad1e50840b0822a91edbec6ab2418e13ef1cdf30e3ea09228590

General

Target

elder.exe
Size

2.3MB
MD5

e4fc60d76aed36f58af4e8a02ac91887
SHA1

59565273a6d014865b15e81fdbbed59fc56451f0
SHA256

7a5bff709af4ad1e50840b0822a91edbec6ab2418e13ef1cdf30e3ea09228590
SHA512

5e2653cae0d078f1ed4856b196f0956f78c40c270372e1104cdca9c5d86c8e2d17516164d6d9ab7779a038a36753a82f0c1de6b859d4d8e0582d9602c477f19a

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\elder.dll	family_danabot
\Users\Admin\AppData\Local\Temp\elder.dll	family_danabot
\Users\Admin\AppData\Local\Temp\elder.dll	family_danabot
\Users\Admin\AppData\Local\Temp\elder.dll	family_danabot
\Users\Admin\AppData\Local\Temp\elder.dll	family_danabot
\Users\Admin\AppData\Local\Temp\elder.dll	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1616	rundll32.exe
3	1616	rundll32.exe
4	1616	rundll32.exe
5	1616	rundll32.exe
6	1616	rundll32.exe
7	1616	rundll32.exe
8	1616	rundll32.exe
9	1616	rundll32.exe
10	1616	rundll32.exe
11	1616	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1564 regsvr32.exe
1616 rundll32.exe
1616 rundll32.exe
1616 rundll32.exe
1616 rundll32.exe

pid	process
1564	regsvr32.exe
1616	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

elder.exeregsvr32.exe

description	pid	process	target process
PID 1088 wrote to memory of 1564	1088	elder.exe	regsvr32.exe
PID 1088 wrote to memory of 1564	1088	elder.exe	regsvr32.exe
PID 1088 wrote to memory of 1564	1088	elder.exe	regsvr32.exe
PID 1088 wrote to memory of 1564	1088	elder.exe	regsvr32.exe
PID 1088 wrote to memory of 1564	1088	elder.exe	regsvr32.exe
PID 1088 wrote to memory of 1564	1088	elder.exe	regsvr32.exe
PID 1088 wrote to memory of 1564	1088	elder.exe	regsvr32.exe
PID 1564 wrote to memory of 1616	1564	regsvr32.exe	rundll32.exe
PID 1564 wrote to memory of 1616	1564	regsvr32.exe	rundll32.exe
PID 1564 wrote to memory of 1616	1564	regsvr32.exe	rundll32.exe
PID 1564 wrote to memory of 1616	1564	regsvr32.exe	rundll32.exe
PID 1564 wrote to memory of 1616	1564	regsvr32.exe	rundll32.exe
PID 1564 wrote to memory of 1616	1564	regsvr32.exe	rundll32.exe
PID 1564 wrote to memory of 1616	1564	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\elder.exe
"C:\Users\Admin\AppData\Local\Temp\elder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\elder.dll f1 C:\Users\Admin\AppData\Local\Temp\elder.exe@1088
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\elder.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\elder.dll
MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\elder.dll
MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\elder.dll
MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\elder.dll
MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\elder.dll
MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
\Users\Admin\AppData\Local\Temp\elder.dll
MD5
07119b1790f56250fff9f87e81b96fc2

SHA1
400e345b7566f4d7b8c5bd460b271864a934172d

SHA256
fd9fd627f781017c2e5b375a3ac6b7f3f6e2c081d0ea093f281043d83ef04f09

SHA512
26f852057938563c10c2289706b582c86622055041b47aae29a395947a1a457649b719630ec3c995d5edf4fd9a2c581ce4a52698fa3f7e1b9ce27b8728c87dfd

Download Submit
memory/1088-0-0x00000000020A0000-0x00000000022C1000-memory.dmp

Filesize
2.1MB

Download
memory/1088-1-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/1564-2-0x0000000000000000-mapping.dmp

Download
memory/1616-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads