danabot | de146c4ebb0ba2850b93cb358f78b671f50724c9710127d6755c1c2f2f23d698

Target

dan777.bin.exe
Size

2.3MB
MD5

565a67a6dff8d567038d9fe8c7fa0024
SHA1

a3f8c5b142a8fbeb72664d521dfe91e4939eaffe
SHA256

de146c4ebb0ba2850b93cb358f78b671f50724c9710127d6755c1c2f2f23d698
SHA512

f075b5ebf4ff35ce85ba5cf15ebfb3da760a67daa23c294545630c1d1a62d02a5282c5a24b82fd9fc5285ce68b6e6b79185c6e8812e882a058ae3ee3ca555022

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

73.48.92.89

193.144.40.26

219.30.45.197

95.179.168.37

151.236.14.84

142.181.133.99

234.63.35.120

74.12.197.16

85.229.148.210

117.69.242.3

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 5 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot
\Users\Admin\AppData\Local\Temp\dan777.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

9 1544 rundll32.exe
10 1544 rundll32.exe
12 1544 rundll32.exe
13 1544 rundll32.exe
14 1544 rundll32.exe
15 1544 rundll32.exe
16 1544 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1260 regsvr32.exe
1260 regsvr32.exe
1544 rundll32.exe
1544 rundll32.exe

flow	pid	process
9	1544	rundll32.exe
10	1544	rundll32.exe
12	1544	rundll32.exe
13	1544	rundll32.exe
14	1544	rundll32.exe
15	1544	rundll32.exe
16	1544	rundll32.exe

pid	process
1260	regsvr32.exe
1260	regsvr32.exe
1544	rundll32.exe
1544	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dan777.bin.exeregsvr32.exe

description	pid	process	target process
PID 2720 wrote to memory of 1260	2720	dan777.bin.exe	regsvr32.exe
PID 2720 wrote to memory of 1260	2720	dan777.bin.exe	regsvr32.exe
PID 2720 wrote to memory of 1260	2720	dan777.bin.exe	regsvr32.exe
PID 1260 wrote to memory of 1544	1260	regsvr32.exe	rundll32.exe
PID 1260 wrote to memory of 1544	1260	regsvr32.exe	rundll32.exe
PID 1260 wrote to memory of 1544	1260	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe
"C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\dan777.dll f1 C:\Users\Admin\AppData\Local\Temp\DAN777~1.EXE@2720
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\dan777.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
28c1aecd73e803ab59c0a24cf195057e

SHA1
fe022eb915ce2d521539dafe0d0d6d60cbb978e7

SHA256
c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6

SHA512
fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
28c1aecd73e803ab59c0a24cf195057e

SHA1
fe022eb915ce2d521539dafe0d0d6d60cbb978e7

SHA256
c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6

SHA512
fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
28c1aecd73e803ab59c0a24cf195057e

SHA1
fe022eb915ce2d521539dafe0d0d6d60cbb978e7

SHA256
c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6

SHA512
fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
28c1aecd73e803ab59c0a24cf195057e

SHA1
fe022eb915ce2d521539dafe0d0d6d60cbb978e7

SHA256
c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6

SHA512
fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d

Download Submit
\Users\Admin\AppData\Local\Temp\dan777.dll
MD5
28c1aecd73e803ab59c0a24cf195057e

SHA1
fe022eb915ce2d521539dafe0d0d6d60cbb978e7

SHA256
c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6

SHA512
fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d

Download Submit
memory/1260-0-0x0000000000000000-mapping.dmp

Download
memory/1544-4-0x0000000000000000-mapping.dmp

Download