danabot | 866cc919f19b7c69e5df4f71e45d1fa6e29b432bc4ce5d91c3dcf7b850efa071

General

Target

41c1de9a20f1e4083884825f4329dd95.exe
Size

2.7MB
MD5

41c1de9a20f1e4083884825f4329dd95
SHA1

551686ccbd2974579b788b44df091933e62afb7d
SHA256

866cc919f19b7c69e5df4f71e45d1fa6e29b432bc4ce5d91c3dcf7b850efa071
SHA512

75c150cfc72af2f493839711b2495079683e9d282b7f2a7f18369ec831697dc285b4a2d5acd5e063c1cadcdbc33630a314abe6a6f9e08bee0b12ec518b87d260

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

185.227.138.47

38.68.50.140

2.56.212.64

38.68.50.172

172.241.27.92

193.34.167.159

179.43.133.50

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

2 1192 rundll32.exe
5 1192 rundll32.exe
6 1192 rundll32.exe
9 1192 rundll32.exe
10 1192 rundll32.exe
11 1192 rundll32.exe
14 1192 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1636 regsvr32.exe
1192 rundll32.exe
1192 rundll32.exe
1192 rundll32.exe
1192 rundll32.exe

flow	pid	process
2	1192	rundll32.exe
5	1192	rundll32.exe
6	1192	rundll32.exe
9	1192	rundll32.exe
10	1192	rundll32.exe
11	1192	rundll32.exe
14	1192	rundll32.exe

pid	process
1636	regsvr32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

41c1de9a20f1e4083884825f4329dd95.exeregsvr32.exe

description	pid	process	target process
PID 1764 wrote to memory of 1636	1764	41c1de9a20f1e4083884825f4329dd95.exe	regsvr32.exe
PID 1764 wrote to memory of 1636	1764	41c1de9a20f1e4083884825f4329dd95.exe	regsvr32.exe
PID 1764 wrote to memory of 1636	1764	41c1de9a20f1e4083884825f4329dd95.exe	regsvr32.exe
PID 1764 wrote to memory of 1636	1764	41c1de9a20f1e4083884825f4329dd95.exe	regsvr32.exe
PID 1764 wrote to memory of 1636	1764	41c1de9a20f1e4083884825f4329dd95.exe	regsvr32.exe
PID 1764 wrote to memory of 1636	1764	41c1de9a20f1e4083884825f4329dd95.exe	regsvr32.exe
PID 1764 wrote to memory of 1636	1764	41c1de9a20f1e4083884825f4329dd95.exe	regsvr32.exe
PID 1636 wrote to memory of 1192	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 1192	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 1192	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 1192	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 1192	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 1192	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 1192	1636	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\41c1de9a20f1e4083884825f4329dd95.exe
"C:\Users\Admin\AppData\Local\Temp\41c1de9a20f1e4083884825f4329dd95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\41C1DE~1.EXE@1764
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
memory/1192-5-0x0000000000000000-mapping.dmp

Download
memory/1636-2-0x0000000000000000-mapping.dmp

Download
memory/1764-0-0x0000000002470000-0x00000000026E7000-memory.dmp

Filesize
2.5MB

Download
memory/1764-1-0x00000000026F0000-0x0000000002701000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing