danabot | 35b24b298440862cc09ac6a515297301ec56845de52375b67f1463cb9d210eaa

General

Target

d90d31166b4e5fe2d763e3f9e8196582.exe
Size

2.7MB
MD5

d90d31166b4e5fe2d763e3f9e8196582
SHA1

0923d9d7d871462c1583e0d9e5e71dd8da009e38
SHA256

35b24b298440862cc09ac6a515297301ec56845de52375b67f1463cb9d210eaa
SHA512

32f348cb976c1cc54a8b404bc188ea0b2c3069daa995fe69ffaa352d7502086a1cff7017e2cc9326c052c38f063a064c4cb8eac0f6cf1648c5794ec11964f335

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

185.227.138.47

38.68.50.140

2.56.212.64

38.68.50.172

172.241.27.92

193.34.167.159

179.43.133.50

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
4	1764	rundll32.exe
5	1764	rundll32.exe
9	1764	rundll32.exe
11	1764	rundll32.exe
12	1764	rundll32.exe
13	1764	rundll32.exe
16	1764	rundll32.exe
19	1764	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1640 regsvr32.exe
1764 rundll32.exe
1764 rundll32.exe
1764 rundll32.exe
1764 rundll32.exe

pid	process
1640	regsvr32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d90d31166b4e5fe2d763e3f9e8196582.exeregsvr32.exe

description	pid	process	target process
PID 1848 wrote to memory of 1640	1848	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 1848 wrote to memory of 1640	1848	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 1848 wrote to memory of 1640	1848	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 1848 wrote to memory of 1640	1848	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 1848 wrote to memory of 1640	1848	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 1848 wrote to memory of 1640	1848	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 1848 wrote to memory of 1640	1848	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 1640 wrote to memory of 1764	1640	regsvr32.exe	rundll32.exe
PID 1640 wrote to memory of 1764	1640	regsvr32.exe	rundll32.exe
PID 1640 wrote to memory of 1764	1640	regsvr32.exe	rundll32.exe
PID 1640 wrote to memory of 1764	1640	regsvr32.exe	rundll32.exe
PID 1640 wrote to memory of 1764	1640	regsvr32.exe	rundll32.exe
PID 1640 wrote to memory of 1764	1640	regsvr32.exe	rundll32.exe
PID 1640 wrote to memory of 1764	1640	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d90d31166b4e5fe2d763e3f9e8196582.exe
"C:\Users\Admin\AppData\Local\Temp\d90d31166b4e5fe2d763e3f9e8196582.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\D90D31~1.EXE@1848
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
62fd3048bbba61c4c1d6ad91e48f6565

SHA1
e055093b13669189b073d7f1d7f80ac2d683d98e

SHA256
75394da6ba52a8f64db19af071723afc5b472100bc95d54509b74e1a16a31a3e

SHA512
63790754a2ee485d593d9b1d0bc023ab665db48f4c1e7bf8f9188e30016b1078e2fd7c6222c3ddb0178243f9092a6b55deb07705240b62faf3b7117dc4ad6ca2

Download Submit
memory/1640-2-0x0000000000000000-mapping.dmp

Download
memory/1764-5-0x0000000000000000-mapping.dmp

Download
memory/1848-0-0x00000000025F0000-0x0000000002867000-memory.dmp

Filesize
2.5MB

Download
memory/1848-1-0x0000000002870000-0x0000000002881000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads