Overview

overview

10

Static

static

1e1cddbcfb...b4.exe

windows7_x64

10

1e1cddbcfb...b4.exe

windows10_x64

10

Analysis

  • max time kernel
    104s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e1cddbcfb56b0f20604fa6db7c9d8b4.exe

  • Size

    2.7MB

  • MD5

    1e1cddbcfb56b0f20604fa6db7c9d8b4

  • SHA1

    c3ab4a02f2b9f53964d6ac8d26fd65f2a9bfa80f

  • SHA256

    ba3478006a8f45f9979a6f2f363933093cd063f7845c85dc604c374481347c20

  • SHA512

    c3db9d3099ebc810fbdd0f777efd8cca0ae87b59913dbe8bac7010fc484d2df092069e167b27bd49a2d1af997e2fb4a7e001db3e414f14b35a6b86ade15a54bf

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

179.43.133.50

193.34.166.141

23.108.57.107

185.227.138.47

104.168.213.174

23.106.123.48
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 3 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e1cddbcfb56b0f20604fa6db7c9d8b4.exe
    "C:\Users\Admin\AppData\Local\Temp\1e1cddbcfb56b0f20604fa6db7c9d8b4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.EXE@2484
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3472
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
    MD5

    7536393df88516884b32bddb1105f951

    SHA1

    b7d94e0d82b5bccf56d9861e7af67713317d8d8a

    SHA256

    4aba280f185d15f05f0bcda68a825be1bfeec8ef27385982b65708fedcd3e779

    SHA512

    8b1405e733c77e849adbc501f6c11fe2cd9096ad0e4029337033e15862377ed8a0b8f84712ee1df1d1471e95f83d701d7cf1794a401a5837066f77a1f269dd4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
    MD5

    7536393df88516884b32bddb1105f951

    SHA1

    b7d94e0d82b5bccf56d9861e7af67713317d8d8a

    SHA256

    4aba280f185d15f05f0bcda68a825be1bfeec8ef27385982b65708fedcd3e779

    SHA512

    8b1405e733c77e849adbc501f6c11fe2cd9096ad0e4029337033e15862377ed8a0b8f84712ee1df1d1471e95f83d701d7cf1794a401a5837066f77a1f269dd4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\1E1CDD~1.DLL
    MD5

    7536393df88516884b32bddb1105f951

    SHA1

    b7d94e0d82b5bccf56d9861e7af67713317d8d8a

    SHA256

    4aba280f185d15f05f0bcda68a825be1bfeec8ef27385982b65708fedcd3e779

    SHA512

    8b1405e733c77e849adbc501f6c11fe2cd9096ad0e4029337033e15862377ed8a0b8f84712ee1df1d1471e95f83d701d7cf1794a401a5837066f77a1f269dd4a

    Download Submit
  • memory/1640-5-0x0000000000000000-mapping.dmp
    Download
  • memory/2484-1-0x0000000002BD0000-0x0000000002BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3472-2-0x0000000000000000-mapping.dmp
    Download