Overview

overview

10

Static

static

28ed6bbb72...c0.exe

windows7_x64

10

28ed6bbb72...c0.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28ed6bbb727cd4066fb3aa4ec76fd8c0.exe

  • Size

    2.6MB

  • MD5

    28ed6bbb727cd4066fb3aa4ec76fd8c0

  • SHA1

    8a8b036d0a48acb9b685df15e5068de48df705ca

  • SHA256

    445bd58d9f401c7fb7d977e9b74cc002e5b892ba355f5c00e122cc48b404bac2

  • SHA512

    f8d1bb33cce2b58267a74a98132a37bf004f28c50b73bf310ac67fde10778420c5c519655968505a852c766a3c21a27af9479fb598d71e7ad9f5bd07fa9568e6

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

45.153.186.50

178.157.91.35

176.123.3.47

45.147.231.202

149.255.35.125
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 4 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28ed6bbb727cd4066fb3aa4ec76fd8c0.exe
    "C:\Users\Admin\AppData\Local\Temp\28ed6bbb727cd4066fb3aa4ec76fd8c0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\28ED6B~1.EXE@3980
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
    MD5

    087ed6b8f7bf41c8087be5fe1f48a4a9

    SHA1

    9d3807944f02d6d685bccd5924ac4520aaeb94aa

    SHA256

    efaf6bd6ab83af58f7ad24f75d93506fefbafecd3ff45cae06bf8ecd616ba131

    SHA512

    16188e1e76b6a4d237c7d34af3a972435937496111564536c6d971a936d42c64aec3f51d63c0cbf51cc25da234b1686dd321b7be4ae200c353b7a8f6a11b45aa

    Download Submit
  • \Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
    MD5

    087ed6b8f7bf41c8087be5fe1f48a4a9

    SHA1

    9d3807944f02d6d685bccd5924ac4520aaeb94aa

    SHA256

    efaf6bd6ab83af58f7ad24f75d93506fefbafecd3ff45cae06bf8ecd616ba131

    SHA512

    16188e1e76b6a4d237c7d34af3a972435937496111564536c6d971a936d42c64aec3f51d63c0cbf51cc25da234b1686dd321b7be4ae200c353b7a8f6a11b45aa

    Download Submit
  • \Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
    MD5

    087ed6b8f7bf41c8087be5fe1f48a4a9

    SHA1

    9d3807944f02d6d685bccd5924ac4520aaeb94aa

    SHA256

    efaf6bd6ab83af58f7ad24f75d93506fefbafecd3ff45cae06bf8ecd616ba131

    SHA512

    16188e1e76b6a4d237c7d34af3a972435937496111564536c6d971a936d42c64aec3f51d63c0cbf51cc25da234b1686dd321b7be4ae200c353b7a8f6a11b45aa

    Download Submit
  • \Users\Admin\AppData\Local\Temp\28ED6B~1.DLL
    MD5

    087ed6b8f7bf41c8087be5fe1f48a4a9

    SHA1

    9d3807944f02d6d685bccd5924ac4520aaeb94aa

    SHA256

    efaf6bd6ab83af58f7ad24f75d93506fefbafecd3ff45cae06bf8ecd616ba131

    SHA512

    16188e1e76b6a4d237c7d34af3a972435937496111564536c6d971a936d42c64aec3f51d63c0cbf51cc25da234b1686dd321b7be4ae200c353b7a8f6a11b45aa

    Download Submit
  • memory/2736-2-0x0000000000000000-mapping.dmp
    Download
  • memory/3184-5-0x0000000000000000-mapping.dmp
    Download
  • memory/3980-1-0x0000000004700000-0x0000000004701000-memory.dmp
    Filesize

    4KB

    Download