Overview

overview

10

Static

static

41c1de9a20...95.exe

windows7_x64

10

41c1de9a20...95.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41c1de9a20f1e4083884825f4329dd95.exe

  • Size

    2.7MB

  • MD5

    41c1de9a20f1e4083884825f4329dd95

  • SHA1

    551686ccbd2974579b788b44df091933e62afb7d

  • SHA256

    866cc919f19b7c69e5df4f71e45d1fa6e29b432bc4ce5d91c3dcf7b850efa071

  • SHA512

    75c150cfc72af2f493839711b2495079683e9d282b7f2a7f18369ec831697dc285b4a2d5acd5e063c1cadcdbc33630a314abe6a6f9e08bee0b12ec518b87d260

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

185.227.138.47

38.68.50.140

2.56.212.64

38.68.50.172

172.241.27.92

193.34.167.159

179.43.133.50
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 4 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41c1de9a20f1e4083884825f4329dd95.exe
    "C:\Users\Admin\AppData\Local\Temp\41c1de9a20f1e4083884825f4329dd95.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\41C1DE~1.EXE@4764
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
    MD5

    1d17df48bdb289adca9c3e77f8f74417

    SHA1

    9f4abbe075a08211e7b374292bc07190b3f74999

    SHA256

    4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

    SHA512

    81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

    Download Submit
  • \Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
    MD5

    1d17df48bdb289adca9c3e77f8f74417

    SHA1

    9f4abbe075a08211e7b374292bc07190b3f74999

    SHA256

    4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

    SHA512

    81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

    Download Submit
  • \Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
    MD5

    1d17df48bdb289adca9c3e77f8f74417

    SHA1

    9f4abbe075a08211e7b374292bc07190b3f74999

    SHA256

    4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

    SHA512

    81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

    Download Submit
  • \Users\Admin\AppData\Local\Temp\41C1DE~1.DLL
    MD5

    1d17df48bdb289adca9c3e77f8f74417

    SHA1

    9f4abbe075a08211e7b374292bc07190b3f74999

    SHA256

    4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

    SHA512

    81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

    Download Submit
  • memory/2816-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3324-5-0x0000000000000000-mapping.dmp
    Download
  • memory/4764-1-0x0000000002730000-0x0000000002731000-memory.dmp
    Filesize

    4KB

    Download