danabot | ba3478006a8f45f9979a6f2f363933093cd063f7845c85dc604c374481347c20

General

Target

1e1cddbcfb56b0f20604fa6db7c9d8b4.exe
Size

2.7MB
MD5

1e1cddbcfb56b0f20604fa6db7c9d8b4
SHA1

c3ab4a02f2b9f53964d6ac8d26fd65f2a9bfa80f
SHA256

ba3478006a8f45f9979a6f2f363933093cd063f7845c85dc604c374481347c20
SHA512

c3db9d3099ebc810fbdd0f777efd8cca0ae87b59913dbe8bac7010fc484d2df092069e167b27bd49a2d1af997e2fb4a7e001db3e414f14b35a6b86ade15a54bf

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

179.43.133.50

193.34.166.141

23.108.57.107

185.227.138.47

104.168.213.174

23.106.123.48

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1660	rundll32.exe
4	1660	rundll32.exe
5	1660	rundll32.exe
6	1660	rundll32.exe
9	1660	rundll32.exe
10	1660	rundll32.exe
11	1660	rundll32.exe
12	1660	rundll32.exe
13	1660	rundll32.exe
14	1660	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1840 regsvr32.exe
1660 rundll32.exe
1660 rundll32.exe
1660 rundll32.exe
1660 rundll32.exe

pid	process
1840	regsvr32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1e1cddbcfb56b0f20604fa6db7c9d8b4.exeregsvr32.exe

description	pid	process	target process
PID 2028 wrote to memory of 1840	2028	1e1cddbcfb56b0f20604fa6db7c9d8b4.exe	regsvr32.exe
PID 2028 wrote to memory of 1840	2028	1e1cddbcfb56b0f20604fa6db7c9d8b4.exe	regsvr32.exe
PID 2028 wrote to memory of 1840	2028	1e1cddbcfb56b0f20604fa6db7c9d8b4.exe	regsvr32.exe
PID 2028 wrote to memory of 1840	2028	1e1cddbcfb56b0f20604fa6db7c9d8b4.exe	regsvr32.exe
PID 2028 wrote to memory of 1840	2028	1e1cddbcfb56b0f20604fa6db7c9d8b4.exe	regsvr32.exe
PID 2028 wrote to memory of 1840	2028	1e1cddbcfb56b0f20604fa6db7c9d8b4.exe	regsvr32.exe
PID 2028 wrote to memory of 1840	2028	1e1cddbcfb56b0f20604fa6db7c9d8b4.exe	regsvr32.exe
PID 1840 wrote to memory of 1660	1840	regsvr32.exe	rundll32.exe
PID 1840 wrote to memory of 1660	1840	regsvr32.exe	rundll32.exe
PID 1840 wrote to memory of 1660	1840	regsvr32.exe	rundll32.exe
PID 1840 wrote to memory of 1660	1840	regsvr32.exe	rundll32.exe
PID 1840 wrote to memory of 1660	1840	regsvr32.exe	rundll32.exe
PID 1840 wrote to memory of 1660	1840	regsvr32.exe	rundll32.exe
PID 1840 wrote to memory of 1660	1840	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1e1cddbcfb56b0f20604fa6db7c9d8b4.exe
"C:\Users\Admin\AppData\Local\Temp\1e1cddbcfb56b0f20604fa6db7c9d8b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.EXE@2028
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
MD5
3c6a5476f2a3704b1a4c9c8cf9b645c2

SHA1
136854283613d244b1c1dfc7e47ae2db8f653409

SHA256
af7addbba25e84dc8ce92e5ed9b6700a778cc03f158e7db94378774cab1efc7f

SHA512
87ad3791dc2bd433d2797ad8a2d8745cff790bf4b2ea36835ca5a22d4eb3ba5fb722296f4839d4b088355bbe05e3facaab1c0e71342620946351f5aad1ca0cf9

Download Submit
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
MD5
3c6a5476f2a3704b1a4c9c8cf9b645c2

SHA1
136854283613d244b1c1dfc7e47ae2db8f653409

SHA256
af7addbba25e84dc8ce92e5ed9b6700a778cc03f158e7db94378774cab1efc7f

SHA512
87ad3791dc2bd433d2797ad8a2d8745cff790bf4b2ea36835ca5a22d4eb3ba5fb722296f4839d4b088355bbe05e3facaab1c0e71342620946351f5aad1ca0cf9

Download Submit
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
MD5
3c6a5476f2a3704b1a4c9c8cf9b645c2

SHA1
136854283613d244b1c1dfc7e47ae2db8f653409

SHA256
af7addbba25e84dc8ce92e5ed9b6700a778cc03f158e7db94378774cab1efc7f

SHA512
87ad3791dc2bd433d2797ad8a2d8745cff790bf4b2ea36835ca5a22d4eb3ba5fb722296f4839d4b088355bbe05e3facaab1c0e71342620946351f5aad1ca0cf9

Download Submit
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
MD5
3c6a5476f2a3704b1a4c9c8cf9b645c2

SHA1
136854283613d244b1c1dfc7e47ae2db8f653409

SHA256
af7addbba25e84dc8ce92e5ed9b6700a778cc03f158e7db94378774cab1efc7f

SHA512
87ad3791dc2bd433d2797ad8a2d8745cff790bf4b2ea36835ca5a22d4eb3ba5fb722296f4839d4b088355bbe05e3facaab1c0e71342620946351f5aad1ca0cf9

Download Submit
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
MD5
3c6a5476f2a3704b1a4c9c8cf9b645c2

SHA1
136854283613d244b1c1dfc7e47ae2db8f653409

SHA256
af7addbba25e84dc8ce92e5ed9b6700a778cc03f158e7db94378774cab1efc7f

SHA512
87ad3791dc2bd433d2797ad8a2d8745cff790bf4b2ea36835ca5a22d4eb3ba5fb722296f4839d4b088355bbe05e3facaab1c0e71342620946351f5aad1ca0cf9

Download Submit
\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
MD5
3c6a5476f2a3704b1a4c9c8cf9b645c2

SHA1
136854283613d244b1c1dfc7e47ae2db8f653409

SHA256
af7addbba25e84dc8ce92e5ed9b6700a778cc03f158e7db94378774cab1efc7f

SHA512
87ad3791dc2bd433d2797ad8a2d8745cff790bf4b2ea36835ca5a22d4eb3ba5fb722296f4839d4b088355bbe05e3facaab1c0e71342620946351f5aad1ca0cf9

Download Submit
memory/1660-5-0x0000000000000000-mapping.dmp

Download
memory/1840-2-0x0000000000000000-mapping.dmp

Download
memory/2028-0-0x0000000002880000-0x0000000002AF6000-memory.dmp

Filesize
2.5MB

Download
memory/2028-1-0x0000000002B00000-0x0000000002B11000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads