danabot | 445bd58d9f401c7fb7d977e9b74cc002e5b892ba355f5c00e122cc48b404bac2

General

Target

28ed6bbb727cd4066fb3aa4ec76fd8c0.exe
Size

2.6MB
MD5

28ed6bbb727cd4066fb3aa4ec76fd8c0
SHA1

8a8b036d0a48acb9b685df15e5068de48df705ca
SHA256

445bd58d9f401c7fb7d977e9b74cc002e5b892ba355f5c00e122cc48b404bac2
SHA512

f8d1bb33cce2b58267a74a98132a37bf004f28c50b73bf310ac67fde10778420c5c519655968505a852c766a3c21a27af9479fb598d71e7ad9f5bd07fa9568e6

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

45.153.186.50

178.157.91.35

176.123.3.47

45.147.231.202

149.255.35.125

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL	family_danabot

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow pid process

2 756 rundll32.exe
5 756 rundll32.exe
6 756 rundll32.exe
7 756 rundll32.exe
8 756 rundll32.exe
9 756 rundll32.exe
10 756 rundll32.exe
11 756 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1588 regsvr32.exe
756 rundll32.exe
756 rundll32.exe
756 rundll32.exe
756 rundll32.exe

flow	pid	process
2	756	rundll32.exe
5	756	rundll32.exe
6	756	rundll32.exe
7	756	rundll32.exe
8	756	rundll32.exe
9	756	rundll32.exe
10	756	rundll32.exe
11	756	rundll32.exe

pid	process
1588	regsvr32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe
756	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

28ed6bbb727cd4066fb3aa4ec76fd8c0.exeregsvr32.exe

description	pid	process	target process
PID 1900 wrote to memory of 1588	1900	28ed6bbb727cd4066fb3aa4ec76fd8c0.exe	regsvr32.exe
PID 1900 wrote to memory of 1588	1900	28ed6bbb727cd4066fb3aa4ec76fd8c0.exe	regsvr32.exe
PID 1900 wrote to memory of 1588	1900	28ed6bbb727cd4066fb3aa4ec76fd8c0.exe	regsvr32.exe
PID 1900 wrote to memory of 1588	1900	28ed6bbb727cd4066fb3aa4ec76fd8c0.exe	regsvr32.exe
PID 1900 wrote to memory of 1588	1900	28ed6bbb727cd4066fb3aa4ec76fd8c0.exe	regsvr32.exe
PID 1900 wrote to memory of 1588	1900	28ed6bbb727cd4066fb3aa4ec76fd8c0.exe	regsvr32.exe
PID 1900 wrote to memory of 1588	1900	28ed6bbb727cd4066fb3aa4ec76fd8c0.exe	regsvr32.exe
PID 1588 wrote to memory of 756	1588	regsvr32.exe	rundll32.exe
PID 1588 wrote to memory of 756	1588	regsvr32.exe	rundll32.exe
PID 1588 wrote to memory of 756	1588	regsvr32.exe	rundll32.exe
PID 1588 wrote to memory of 756	1588	regsvr32.exe	rundll32.exe
PID 1588 wrote to memory of 756	1588	regsvr32.exe	rundll32.exe
PID 1588 wrote to memory of 756	1588	regsvr32.exe	rundll32.exe
PID 1588 wrote to memory of 756	1588	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\28ed6bbb727cd4066fb3aa4ec76fd8c0.exe
"C:\Users\Admin\AppData\Local\Temp\28ed6bbb727cd4066fb3aa4ec76fd8c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\28ED6B~1.EXE@1900
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
MD5
4fbf28e11e37eaf8cf5d34810581fc99

SHA1
8c0ae627499e5af458cbd51efe72e2a264c618e3

SHA256
690e02ef2ce3a2cd9fde1ecdfe2bc64c9065b1c209e0ec4699b5458efa06dd5a

SHA512
5dd69caf20c2526679a580bbf7a4b0131017e8922f8bbb21b1cf77ea522200ffe655800917b9afd1b6d098218a2136182c56b61d3aa017f8a888f8242e8a8bc4

Download Submit
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
MD5
4fbf28e11e37eaf8cf5d34810581fc99

SHA1
8c0ae627499e5af458cbd51efe72e2a264c618e3

SHA256
690e02ef2ce3a2cd9fde1ecdfe2bc64c9065b1c209e0ec4699b5458efa06dd5a

SHA512
5dd69caf20c2526679a580bbf7a4b0131017e8922f8bbb21b1cf77ea522200ffe655800917b9afd1b6d098218a2136182c56b61d3aa017f8a888f8242e8a8bc4

Download Submit
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
MD5
4fbf28e11e37eaf8cf5d34810581fc99

SHA1
8c0ae627499e5af458cbd51efe72e2a264c618e3

SHA256
690e02ef2ce3a2cd9fde1ecdfe2bc64c9065b1c209e0ec4699b5458efa06dd5a

SHA512
5dd69caf20c2526679a580bbf7a4b0131017e8922f8bbb21b1cf77ea522200ffe655800917b9afd1b6d098218a2136182c56b61d3aa017f8a888f8242e8a8bc4

Download Submit
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
MD5
4fbf28e11e37eaf8cf5d34810581fc99

SHA1
8c0ae627499e5af458cbd51efe72e2a264c618e3

SHA256
690e02ef2ce3a2cd9fde1ecdfe2bc64c9065b1c209e0ec4699b5458efa06dd5a

SHA512
5dd69caf20c2526679a580bbf7a4b0131017e8922f8bbb21b1cf77ea522200ffe655800917b9afd1b6d098218a2136182c56b61d3aa017f8a888f8242e8a8bc4

Download Submit
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
MD5
4fbf28e11e37eaf8cf5d34810581fc99

SHA1
8c0ae627499e5af458cbd51efe72e2a264c618e3

SHA256
690e02ef2ce3a2cd9fde1ecdfe2bc64c9065b1c209e0ec4699b5458efa06dd5a

SHA512
5dd69caf20c2526679a580bbf7a4b0131017e8922f8bbb21b1cf77ea522200ffe655800917b9afd1b6d098218a2136182c56b61d3aa017f8a888f8242e8a8bc4

Download Submit
\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
MD5
4fbf28e11e37eaf8cf5d34810581fc99

SHA1
8c0ae627499e5af458cbd51efe72e2a264c618e3

SHA256
690e02ef2ce3a2cd9fde1ecdfe2bc64c9065b1c209e0ec4699b5458efa06dd5a

SHA512
5dd69caf20c2526679a580bbf7a4b0131017e8922f8bbb21b1cf77ea522200ffe655800917b9afd1b6d098218a2136182c56b61d3aa017f8a888f8242e8a8bc4

Download Submit
memory/756-5-0x0000000000000000-mapping.dmp

Download
memory/1588-2-0x0000000000000000-mapping.dmp

Download
memory/1900-0-0x0000000004040000-0x00000000042B7000-memory.dmp

Filesize
2.5MB

Download
memory/1900-1-0x00000000042C0000-0x00000000042D1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing