danabot | a5bd1ac8e6458e40e63cf558145dbd06cc2700d97f9ed3ae5a161b165ca6c035

Analysis

Target

SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll
Size

3.3MB
MD5

87d9f26e60c839281621348244e7a50e
SHA1

03cdedd359cf66d388f96c6aa48c9ba75469db72
SHA256

a5bd1ac8e6458e40e63cf558145dbd06cc2700d97f9ed3ae5a161b165ca6c035
SHA512

82f9de782234b46938e80cd357f847f4a5bdd8a75f7d412fc10fde3e4d9ef336e6db7f7b05c22859cb4344d3c20de69456916f5c8c1d14906edfbb4a0da682b3

Score

10^/10

Family

danabot

172.81.129.196

54.38.22.65

192.99.219.207

51.255.134.130

192.236.179.73

23.82.140.201

45.147.228.92

rsa_pubkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

22 3772 rundll32.exe
23 3772 rundll32.exe
24 3772 rundll32.exe
25 3772 rundll32.exe
27 3772 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1520 1912 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1520	1912	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1520 WerFault.exe
Token: SeBackupPrivilege 1520 WerFault.exe
Token: SeDebugPrivilege 1520 WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 972 wrote to memory of 1912	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1912	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1912	972	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 3772	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 3772	1912	rundll32.exe	rundll32.exe
PID 1912 wrote to memory of 3772	1912	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Graftor.752710.22488.21345.dll,f0
3⤵
- Blocklisted process makes network request
PID:3772

memory/1520-2-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/1520-6-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1520-7-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1912-0-0x0000000000000000-mapping.dmp

Download
memory/1912-4-0x0000000000000000-mapping.dmp

Download
memory/1912-3-0x0000000000000000-mapping.dmp

Download
memory/1912-5-0x0000000000000000-mapping.dmp

Download
memory/3772-1-0x0000000000000000-mapping.dmp

Download