danabot | 9d96347ba7dd239d6a6b667242965905d6e96114281cd7a18812e901712a8303

General

Target

2571146d6b6333713a56e5d5adf128ea.exe
Size

2.6MB
MD5

2571146d6b6333713a56e5d5adf128ea
SHA1

d55355b911ecd28b632f56374ac8c885935846b7
SHA256

9d96347ba7dd239d6a6b667242965905d6e96114281cd7a18812e901712a8303
SHA512

50ee2625cb71b381065b488705c19e4b4b7c7d5d2ac62977d6cf69d73ecc9da3df12e6e61e7ad6a9bf510a6a6bb7da22346393f0362262d893a8b7b9778dae18

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

142.11.240.144

45.153.243.113

88.150.227.95

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 3 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\257114~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\257114~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\257114~1.DLL	family_danabot

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3124 created 4004 3124 WerFault.exe 2571146d6b6333713a56e5d5adf128ea.exe
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

16 3888 rundll32.exe
17 3888 rundll32.exe
18 3888 rundll32.exe
19 3888 rundll32.exe
20 3888 rundll32.exe
21 3888 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2408 regsvr32.exe
3888 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3124 4004 WerFault.exe 2571146d6b6333713a56e5d5adf128ea.exe

description	pid	process	target process
PID 3124 created 4004	3124	WerFault.exe	2571146d6b6333713a56e5d5adf128ea.exe

flow	pid	process
16	3888	rundll32.exe
17	3888	rundll32.exe
18	3888	rundll32.exe
19	3888	rundll32.exe
20	3888	rundll32.exe
21	3888	rundll32.exe

pid	process
2408	regsvr32.exe
3888	rundll32.exe

pid	pid_target	process	target process
3124	4004	WerFault.exe	2571146d6b6333713a56e5d5adf128ea.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe
3124	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3124 WerFault.exe
Token: SeBackupPrivilege 3124 WerFault.exe
Token: SeDebugPrivilege 3124 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3124	WerFault.exe
Token: SeBackupPrivilege	3124	WerFault.exe
Token: SeDebugPrivilege	3124	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2571146d6b6333713a56e5d5adf128ea.exeregsvr32.exe

description	pid	process	target process
PID 4004 wrote to memory of 2408	4004	2571146d6b6333713a56e5d5adf128ea.exe	regsvr32.exe
PID 4004 wrote to memory of 2408	4004	2571146d6b6333713a56e5d5adf128ea.exe	regsvr32.exe
PID 4004 wrote to memory of 2408	4004	2571146d6b6333713a56e5d5adf128ea.exe	regsvr32.exe
PID 2408 wrote to memory of 3888	2408	regsvr32.exe	rundll32.exe
PID 2408 wrote to memory of 3888	2408	regsvr32.exe	rundll32.exe
PID 2408 wrote to memory of 3888	2408	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2571146d6b6333713a56e5d5adf128ea.exe
"C:\Users\Admin\AppData\Local\Temp\2571146d6b6333713a56e5d5adf128ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\257114~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\257114~1.EXE@4004
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\257114~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 396
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\257114~1.DLL
MD5
4b1759cc40e9d935ef47c57deb4608ab

SHA1
e1ffbef9c1f07394d03b8af8f666df9f980c0626

SHA256
91f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917

SHA512
18829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082

Download Submit
\Users\Admin\AppData\Local\Temp\257114~1.DLL
MD5
4b1759cc40e9d935ef47c57deb4608ab

SHA1
e1ffbef9c1f07394d03b8af8f666df9f980c0626

SHA256
91f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917

SHA512
18829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082

Download Submit
\Users\Admin\AppData\Local\Temp\257114~1.DLL
MD5
4b1759cc40e9d935ef47c57deb4608ab

SHA1
e1ffbef9c1f07394d03b8af8f666df9f980c0626

SHA256
91f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917

SHA512
18829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082

Download Submit
memory/2408-2-0x0000000000000000-mapping.dmp

Download
memory/3124-5-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3124-6-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3124-11-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3888-9-0x0000000000000000-mapping.dmp

Download
memory/4004-1-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads