Overview

overview

10

Static

static

e374cc56b4...92.exe

windows7_x64

10

e374cc56b4...92.exe

windows10_x64

10

Analysis

  • max time kernel
    75s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e374cc56b4174ebb693a7e7a58fbd792.exe

  • Size

    2.7MB

  • MD5

    e374cc56b4174ebb693a7e7a58fbd792

  • SHA1

    654dbda2ff076f1907b9ae75b64ba606e9187d76

  • SHA256

    d4290ca9fd03f5b700344fc4e14c9559fd9768eaf27fa5a5a2beaac170034ae0

  • SHA512

    50ddc88210f2dea81be24650b16b99370bea7b305f71802ce4c2a3ca87ef4c404a951655ab58f67192018725cfcfb2424d0eb1ac46efc279b4a284b763b1fc58

Score
10/10
danabotbankerbotnettrojan

Malware Config

Extracted

Family

danabot

C2

23.106.123.48

93.115.20.97

93.115.21.103

179.43.133.50

193.34.167.73
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot x86 payload 4 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    botnet
  • Blocklisted process makes network request 10 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e374cc56b4174ebb693a7e7a58fbd792.exe
    "C:\Users\Admin\AppData\Local\Temp\e374cc56b4174ebb693a7e7a58fbd792.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\E374CC~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\E374CC~1.EXE@4756
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\E374CC~1.DLL,f0
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\E374CC~1.DLL
    MD5

    3cb75e26f8a16fa6bd286ac033452148

    SHA1

    c005cae09b9c4161bfeb7536a3fc5b97ad6c96cf

    SHA256

    9d11ec9801e5f9d4d107091fef230e3d91673de6104288b71daa2abf077a8167

    SHA512

    3afda9a8d2773e5685415dec6f2418a8b40368c909722359e2828e0a2729f4c29eaa4ecda959654b42543be6548e9f8f7bf0645f8b40251ff1e22eea487104ee

    Download Submit
  • \Users\Admin\AppData\Local\Temp\E374CC~1.DLL
    MD5

    3cb75e26f8a16fa6bd286ac033452148

    SHA1

    c005cae09b9c4161bfeb7536a3fc5b97ad6c96cf

    SHA256

    9d11ec9801e5f9d4d107091fef230e3d91673de6104288b71daa2abf077a8167

    SHA512

    3afda9a8d2773e5685415dec6f2418a8b40368c909722359e2828e0a2729f4c29eaa4ecda959654b42543be6548e9f8f7bf0645f8b40251ff1e22eea487104ee

    Download Submit
  • \Users\Admin\AppData\Local\Temp\E374CC~1.DLL
    MD5

    3cb75e26f8a16fa6bd286ac033452148

    SHA1

    c005cae09b9c4161bfeb7536a3fc5b97ad6c96cf

    SHA256

    9d11ec9801e5f9d4d107091fef230e3d91673de6104288b71daa2abf077a8167

    SHA512

    3afda9a8d2773e5685415dec6f2418a8b40368c909722359e2828e0a2729f4c29eaa4ecda959654b42543be6548e9f8f7bf0645f8b40251ff1e22eea487104ee

    Download Submit
  • \Users\Admin\AppData\Local\Temp\E374CC~1.DLL
    MD5

    3cb75e26f8a16fa6bd286ac033452148

    SHA1

    c005cae09b9c4161bfeb7536a3fc5b97ad6c96cf

    SHA256

    9d11ec9801e5f9d4d107091fef230e3d91673de6104288b71daa2abf077a8167

    SHA512

    3afda9a8d2773e5685415dec6f2418a8b40368c909722359e2828e0a2729f4c29eaa4ecda959654b42543be6548e9f8f7bf0645f8b40251ff1e22eea487104ee

    Download Submit
  • memory/436-5-0x0000000000000000-mapping.dmp
    Download
  • memory/2232-2-0x0000000000000000-mapping.dmp
    Download
  • memory/4756-1-0x0000000000D50000-0x0000000000D51000-memory.dmp
    Filesize

    4KB

    Download