Overview

overview

10

Static

static

SecuriteIn...86.dll

windows7_x64

8

SecuriteIn...86.dll

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Siggen9.46491.30495.5886.dll

  • Size

    3.3MB

  • MD5

    3ce1a9571feef80297bd3c7c33e53476

  • SHA1

    bdc733c1c239adc0d10b89e630862f6fe692c189

  • SHA256

    ec4171872384e62627b06976f6e513650087c00e8c42f70d6b9d29b54e18a8e6

  • SHA512

    aee3109d59536bf0054a58a60f1a405c37fc08cfa16df1257dc79a771abc534458c78f71f2e54e3b0ad4a653669489537e24d42d98a9b2d63f8d2f81ad51e333

Score
10/10
danabotbankertrojan

Malware Config

Extracted

Family

danabot

C2

172.81.129.196

54.38.22.65

192.99.219.207

51.255.134.130

192.236.179.73

23.82.140.201

45.147.228.92
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 5 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.46491.30495.5886.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.46491.30495.5886.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.46491.30495.5886.dll,f0
        3⤵
        • Blocklisted process makes network request
        PID:4148
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 736
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/516-2-0x00000000045F0000-0x00000000045F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-6-0x0000000004D70000-0x0000000004D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4148-1-0x0000000000000000-mapping.dmp
    Download
  • memory/4788-0-0x0000000000000000-mapping.dmp
    Download
  • memory/4788-3-0x0000000000000000-mapping.dmp
    Download
  • memory/4788-4-0x0000000000000000-mapping.dmp
    Download
  • memory/4788-5-0x0000000000000000-mapping.dmp
    Download