danabot | 95a90fbde8c6cc25ac3ebbc1bc9602a8a656a6c6d29e47378cca197c7018df02

General

Target

2684e7971b92bd1b19265cf328b64ca8.exe
Size

2.5MB
MD5

2684e7971b92bd1b19265cf328b64ca8
SHA1

141dde31d7e8f014b187bfbaa9d0d9abf5c9c2e8
SHA256

95a90fbde8c6cc25ac3ebbc1bc9602a8a656a6c6d29e47378cca197c7018df02
SHA512

37eae00d3006de093b1e236a5e506af322a94db677f59de29b5bd4d22c623b2bc4ddd34e8b042d62c9cdd082c0352aea94e06e346bbf75eb771a54b419ef0e37

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

142.11.240.144

45.153.243.113

88.150.227.95

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2684E7~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2684E7~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2684E7~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2684E7~1.DLL	family_danabot

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2056 created 3008 2056 WerFault.exe 2684e7971b92bd1b19265cf328b64ca8.exe
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

12 3320 rundll32.exe
15 3320 rundll32.exe
16 3320 rundll32.exe
17 3320 rundll32.exe
18 3320 rundll32.exe
19 3320 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1004 regsvr32.exe
3320 rundll32.exe
3320 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2056 3008 WerFault.exe 2684e7971b92bd1b19265cf328b64ca8.exe

description	pid	process	target process
PID 2056 created 3008	2056	WerFault.exe	2684e7971b92bd1b19265cf328b64ca8.exe

flow	pid	process
12	3320	rundll32.exe
15	3320	rundll32.exe
16	3320	rundll32.exe
17	3320	rundll32.exe
18	3320	rundll32.exe
19	3320	rundll32.exe

pid	process
1004	regsvr32.exe
3320	rundll32.exe
3320	rundll32.exe

pid	pid_target	process	target process
2056	3008	WerFault.exe	2684e7971b92bd1b19265cf328b64ca8.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2056 WerFault.exe
Token: SeBackupPrivilege 2056 WerFault.exe
Token: SeDebugPrivilege 2056 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2056	WerFault.exe
Token: SeBackupPrivilege	2056	WerFault.exe
Token: SeDebugPrivilege	2056	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2684e7971b92bd1b19265cf328b64ca8.exeregsvr32.exe

description	pid	process	target process
PID 3008 wrote to memory of 1004	3008	2684e7971b92bd1b19265cf328b64ca8.exe	regsvr32.exe
PID 3008 wrote to memory of 1004	3008	2684e7971b92bd1b19265cf328b64ca8.exe	regsvr32.exe
PID 3008 wrote to memory of 1004	3008	2684e7971b92bd1b19265cf328b64ca8.exe	regsvr32.exe
PID 1004 wrote to memory of 3320	1004	regsvr32.exe	rundll32.exe
PID 1004 wrote to memory of 3320	1004	regsvr32.exe	rundll32.exe
PID 1004 wrote to memory of 3320	1004	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2684e7971b92bd1b19265cf328b64ca8.exe
"C:\Users\Admin\AppData\Local\Temp\2684e7971b92bd1b19265cf328b64ca8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\2684E7~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\2684E7~1.EXE@3008
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2684E7~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 424
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2684E7~1.DLL
MD5
4b1759cc40e9d935ef47c57deb4608ab

SHA1
e1ffbef9c1f07394d03b8af8f666df9f980c0626

SHA256
91f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917

SHA512
18829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082

Download Submit
\Users\Admin\AppData\Local\Temp\2684E7~1.DLL
MD5
4b1759cc40e9d935ef47c57deb4608ab

SHA1
e1ffbef9c1f07394d03b8af8f666df9f980c0626

SHA256
91f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917

SHA512
18829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082

Download Submit
\Users\Admin\AppData\Local\Temp\2684E7~1.DLL
MD5
4b1759cc40e9d935ef47c57deb4608ab

SHA1
e1ffbef9c1f07394d03b8af8f666df9f980c0626

SHA256
91f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917

SHA512
18829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082

Download Submit
\Users\Admin\AppData\Local\Temp\2684E7~1.DLL
MD5
4b1759cc40e9d935ef47c57deb4608ab

SHA1
e1ffbef9c1f07394d03b8af8f666df9f980c0626

SHA256
91f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917

SHA512
18829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082

Download Submit
memory/1004-2-0x0000000000000000-mapping.dmp

Download
memory/2056-5-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2056-6-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2056-12-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3008-1-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3320-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads