danabot | d4290ca9fd03f5b700344fc4e14c9559fd9768eaf27fa5a5a2beaac170034ae0

General

Target

e374cc56b4174ebb693a7e7a58fbd792.exe
Size

2.7MB
MD5

e374cc56b4174ebb693a7e7a58fbd792
SHA1

654dbda2ff076f1907b9ae75b64ba606e9187d76
SHA256

d4290ca9fd03f5b700344fc4e14c9559fd9768eaf27fa5a5a2beaac170034ae0
SHA512

50ddc88210f2dea81be24650b16b99370bea7b305f71802ce4c2a3ca87ef4c404a951655ab58f67192018725cfcfb2424d0eb1ac46efc279b4a284b763b1fc58

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

23.106.123.48

93.115.20.97

93.115.21.103

179.43.133.50

193.34.167.73

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\E374CC~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
3	316	rundll32.exe
4	316	rundll32.exe
5	316	rundll32.exe
6	316	rundll32.exe
9	316	rundll32.exe
10	316	rundll32.exe
11	316	rundll32.exe
12	316	rundll32.exe
13	316	rundll32.exe
14	316	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1636 regsvr32.exe
316 rundll32.exe
316 rundll32.exe
316 rundll32.exe
316 rundll32.exe

pid	process
1636	regsvr32.exe
316	rundll32.exe
316	rundll32.exe
316	rundll32.exe
316	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e374cc56b4174ebb693a7e7a58fbd792.exeregsvr32.exe

description	pid	process	target process
PID 1680 wrote to memory of 1636	1680	e374cc56b4174ebb693a7e7a58fbd792.exe	regsvr32.exe
PID 1680 wrote to memory of 1636	1680	e374cc56b4174ebb693a7e7a58fbd792.exe	regsvr32.exe
PID 1680 wrote to memory of 1636	1680	e374cc56b4174ebb693a7e7a58fbd792.exe	regsvr32.exe
PID 1680 wrote to memory of 1636	1680	e374cc56b4174ebb693a7e7a58fbd792.exe	regsvr32.exe
PID 1680 wrote to memory of 1636	1680	e374cc56b4174ebb693a7e7a58fbd792.exe	regsvr32.exe
PID 1680 wrote to memory of 1636	1680	e374cc56b4174ebb693a7e7a58fbd792.exe	regsvr32.exe
PID 1680 wrote to memory of 1636	1680	e374cc56b4174ebb693a7e7a58fbd792.exe	regsvr32.exe
PID 1636 wrote to memory of 316	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 316	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 316	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 316	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 316	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 316	1636	regsvr32.exe	rundll32.exe
PID 1636 wrote to memory of 316	1636	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e374cc56b4174ebb693a7e7a58fbd792.exe
"C:\Users\Admin\AppData\Local\Temp\e374cc56b4174ebb693a7e7a58fbd792.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\E374CC~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\E374CC~1.EXE@1680
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E374CC~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E374CC~1.DLL
MD5
c184b650468d241a3e940ad78935f954

SHA1
9ff7411537f63d88c7850043743cef646136ff05

SHA256
69a2c874ad9fa17062b16b85b4ed671e01876fb95756d87171d5b10cde5648d6

SHA512
cc0281870e219c93a81f43ed6f4658562e727770075af24266ebab37d43ace9179066be11fe1fb3a176ecb9341ad4228eaec157fe28d2b1eed0a09fab5ccc1e4

Download Submit
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL
MD5
c184b650468d241a3e940ad78935f954

SHA1
9ff7411537f63d88c7850043743cef646136ff05

SHA256
69a2c874ad9fa17062b16b85b4ed671e01876fb95756d87171d5b10cde5648d6

SHA512
cc0281870e219c93a81f43ed6f4658562e727770075af24266ebab37d43ace9179066be11fe1fb3a176ecb9341ad4228eaec157fe28d2b1eed0a09fab5ccc1e4

Download Submit
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL
MD5
c184b650468d241a3e940ad78935f954

SHA1
9ff7411537f63d88c7850043743cef646136ff05

SHA256
69a2c874ad9fa17062b16b85b4ed671e01876fb95756d87171d5b10cde5648d6

SHA512
cc0281870e219c93a81f43ed6f4658562e727770075af24266ebab37d43ace9179066be11fe1fb3a176ecb9341ad4228eaec157fe28d2b1eed0a09fab5ccc1e4

Download Submit
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL
MD5
c184b650468d241a3e940ad78935f954

SHA1
9ff7411537f63d88c7850043743cef646136ff05

SHA256
69a2c874ad9fa17062b16b85b4ed671e01876fb95756d87171d5b10cde5648d6

SHA512
cc0281870e219c93a81f43ed6f4658562e727770075af24266ebab37d43ace9179066be11fe1fb3a176ecb9341ad4228eaec157fe28d2b1eed0a09fab5ccc1e4

Download Submit
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL
MD5
c184b650468d241a3e940ad78935f954

SHA1
9ff7411537f63d88c7850043743cef646136ff05

SHA256
69a2c874ad9fa17062b16b85b4ed671e01876fb95756d87171d5b10cde5648d6

SHA512
cc0281870e219c93a81f43ed6f4658562e727770075af24266ebab37d43ace9179066be11fe1fb3a176ecb9341ad4228eaec157fe28d2b1eed0a09fab5ccc1e4

Download Submit
\Users\Admin\AppData\Local\Temp\E374CC~1.DLL
MD5
c184b650468d241a3e940ad78935f954

SHA1
9ff7411537f63d88c7850043743cef646136ff05

SHA256
69a2c874ad9fa17062b16b85b4ed671e01876fb95756d87171d5b10cde5648d6

SHA512
cc0281870e219c93a81f43ed6f4658562e727770075af24266ebab37d43ace9179066be11fe1fb3a176ecb9341ad4228eaec157fe28d2b1eed0a09fab5ccc1e4

Download Submit
memory/316-5-0x0000000000000000-mapping.dmp

Download
memory/1636-2-0x0000000000000000-mapping.dmp

Download
memory/1680-0-0x00000000008F0000-0x0000000000B67000-memory.dmp

Filesize
2.5MB

Download
memory/1680-1-0x0000000000B70000-0x0000000000B81000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads