danabot | 35b24b298440862cc09ac6a515297301ec56845de52375b67f1463cb9d210eaa

General

Target

d90d31166b4e5fe2d763e3f9e8196582.exe
Size

2.7MB
MD5

d90d31166b4e5fe2d763e3f9e8196582
SHA1

0923d9d7d871462c1583e0d9e5e71dd8da009e38
SHA256

35b24b298440862cc09ac6a515297301ec56845de52375b67f1463cb9d210eaa
SHA512

32f348cb976c1cc54a8b404bc188ea0b2c3069daa995fe69ffaa352d7502086a1cff7017e2cc9326c052c38f063a064c4cb8eac0f6cf1648c5794ec11964f335

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

185.227.138.47

38.68.50.140

2.56.212.64

38.68.50.172

172.241.27.92

193.34.167.159

179.43.133.50

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 5 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

12 3148 rundll32.exe
16 3148 rundll32.exe
17 3148 rundll32.exe
18 3148 rundll32.exe
19 3148 rundll32.exe
20 3148 rundll32.exe
21 3148 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

4008 regsvr32.exe
4008 regsvr32.exe
3148 rundll32.exe
3148 rundll32.exe

flow	pid	process
12	3148	rundll32.exe
16	3148	rundll32.exe
17	3148	rundll32.exe
18	3148	rundll32.exe
19	3148	rundll32.exe
20	3148	rundll32.exe
21	3148	rundll32.exe

pid	process
4008	regsvr32.exe
4008	regsvr32.exe
3148	rundll32.exe
3148	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d90d31166b4e5fe2d763e3f9e8196582.exeregsvr32.exe

description	pid	process	target process
PID 4760 wrote to memory of 4008	4760	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 4760 wrote to memory of 4008	4760	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 4760 wrote to memory of 4008	4760	d90d31166b4e5fe2d763e3f9e8196582.exe	regsvr32.exe
PID 4008 wrote to memory of 3148	4008	regsvr32.exe	rundll32.exe
PID 4008 wrote to memory of 3148	4008	regsvr32.exe	rundll32.exe
PID 4008 wrote to memory of 3148	4008	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d90d31166b4e5fe2d763e3f9e8196582.exe
"C:\Users\Admin\AppData\Local\Temp\d90d31166b4e5fe2d763e3f9e8196582.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\D90D31~1.EXE@4760
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
1d17df48bdb289adca9c3e77f8f74417

SHA1
9f4abbe075a08211e7b374292bc07190b3f74999

SHA256
4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

SHA512
81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
1d17df48bdb289adca9c3e77f8f74417

SHA1
9f4abbe075a08211e7b374292bc07190b3f74999

SHA256
4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

SHA512
81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
1d17df48bdb289adca9c3e77f8f74417

SHA1
9f4abbe075a08211e7b374292bc07190b3f74999

SHA256
4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

SHA512
81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
1d17df48bdb289adca9c3e77f8f74417

SHA1
9f4abbe075a08211e7b374292bc07190b3f74999

SHA256
4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

SHA512
81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

Download Submit
\Users\Admin\AppData\Local\Temp\D90D31~1.DLL
MD5
1d17df48bdb289adca9c3e77f8f74417

SHA1
9f4abbe075a08211e7b374292bc07190b3f74999

SHA256
4f9b6310c363bc29667d6624f373a78762061fe952494a242454be6550c374da

SHA512
81015c6c4453b8f29a372136a8a1b7027b461421fe6b23d1a37a4c32457bca73884fd4d90584839495796a7bf4b6ac633de39dab44d3d2cd026332e9e66fbfe2

Download Submit
memory/3148-6-0x0000000000000000-mapping.dmp

Download
memory/4008-2-0x0000000000000000-mapping.dmp

Download
memory/4760-1-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing