danabot | de146c4ebb0ba2850b93cb358f78b671f50724c9710127d6755c1c2f2f23d698

Target

dan777.bin.exe
Size

2.3MB
MD5

565a67a6dff8d567038d9fe8c7fa0024
SHA1

a3f8c5b142a8fbeb72664d521dfe91e4939eaffe
SHA256

de146c4ebb0ba2850b93cb358f78b671f50724c9710127d6755c1c2f2f23d698
SHA512

f075b5ebf4ff35ce85ba5cf15ebfb3da760a67daa23c294545630c1d1a62d02a5282c5a24b82fd9fc5285ce68b6e6b79185c6e8812e882a058ae3ee3ca555022

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

73.48.92.89

193.144.40.26

219.30.45.197

95.179.168.37

151.236.14.84

142.181.133.99

234.63.35.120

74.12.197.16

85.229.148.210

117.69.242.3

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

3 1676 rundll32.exe
4 1676 rundll32.exe
5 1676 rundll32.exe
6 1676 rundll32.exe
7 1676 rundll32.exe
8 1676 rundll32.exe
11 1676 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1624 regsvr32.exe
1676 rundll32.exe
1676 rundll32.exe
1676 rundll32.exe
1676 rundll32.exe

flow	pid	process
3	1676	rundll32.exe
4	1676	rundll32.exe
5	1676	rundll32.exe
6	1676	rundll32.exe
7	1676	rundll32.exe
8	1676	rundll32.exe
11	1676	rundll32.exe

pid	process
1624	regsvr32.exe
1676	rundll32.exe
1676	rundll32.exe
1676	rundll32.exe
1676	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

dan777.bin.exeregsvr32.exe

description	pid	process	target process
PID 836 wrote to memory of 1624	836	dan777.bin.exe	regsvr32.exe
PID 836 wrote to memory of 1624	836	dan777.bin.exe	regsvr32.exe
PID 836 wrote to memory of 1624	836	dan777.bin.exe	regsvr32.exe
PID 836 wrote to memory of 1624	836	dan777.bin.exe	regsvr32.exe
PID 836 wrote to memory of 1624	836	dan777.bin.exe	regsvr32.exe
PID 836 wrote to memory of 1624	836	dan777.bin.exe	regsvr32.exe
PID 836 wrote to memory of 1624	836	dan777.bin.exe	regsvr32.exe
PID 1624 wrote to memory of 1676	1624	regsvr32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	regsvr32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	regsvr32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	regsvr32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	regsvr32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	regsvr32.exe	rundll32.exe
PID 1624 wrote to memory of 1676	1624	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe
"C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\dan777.dll f1 C:\Users\Admin\AppData\Local\Temp\DAN777~1.EXE@836
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\dan777.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
21e288420d3eb5b6d5e37b83f0d2dff3

SHA1
aa0ac85c290f4de5d01fb237e24787ff4e63263d

SHA256
528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8

SHA512
a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
21e288420d3eb5b6d5e37b83f0d2dff3

SHA1
aa0ac85c290f4de5d01fb237e24787ff4e63263d

SHA256
528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8

SHA512
a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
21e288420d3eb5b6d5e37b83f0d2dff3

SHA1
aa0ac85c290f4de5d01fb237e24787ff4e63263d

SHA256
528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8

SHA512
a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
21e288420d3eb5b6d5e37b83f0d2dff3

SHA1
aa0ac85c290f4de5d01fb237e24787ff4e63263d

SHA256
528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8

SHA512
a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
21e288420d3eb5b6d5e37b83f0d2dff3

SHA1
aa0ac85c290f4de5d01fb237e24787ff4e63263d

SHA256
528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8

SHA512
a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
21e288420d3eb5b6d5e37b83f0d2dff3

SHA1
aa0ac85c290f4de5d01fb237e24787ff4e63263d

SHA256
528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8

SHA512
a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d

Download Submit
memory/1624-0-0x0000000000000000-mapping.dmp

Download
memory/1676-3-0x0000000000000000-mapping.dmp

Download