danabot | cd38592468e54623dc5c89529203dbc21ede6cfe95523d2f146449019288038c

General

Target

d91c10b6010d6e7593974ae3278cbbf3.exe
Size

2.7MB
MD5

d91c10b6010d6e7593974ae3278cbbf3
SHA1

1fd45fdbde1168b3c085805df7399398fc85b2cb
SHA256

cd38592468e54623dc5c89529203dbc21ede6cfe95523d2f146449019288038c
SHA512

3a231c2e9e9ba05c07c5229ef53dcd009bb876c661ba9af6f06bb6d48b2d0ee4570f5bcb956d7d011df9c77995ed3e18d70c104b579522df60cc53dc54ff74eb

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

142.11.240.144

45.153.243.113

88.150.227.95

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\D91C10~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

2 1260 rundll32.exe
5 1260 rundll32.exe
6 1260 rundll32.exe
7 1260 rundll32.exe
8 1260 rundll32.exe
9 1260 rundll32.exe
10 1260 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1772 regsvr32.exe
1260 rundll32.exe
1260 rundll32.exe
1260 rundll32.exe
1260 rundll32.exe

flow	pid	process
2	1260	rundll32.exe
5	1260	rundll32.exe
6	1260	rundll32.exe
7	1260	rundll32.exe
8	1260	rundll32.exe
9	1260	rundll32.exe
10	1260	rundll32.exe

pid	process
1772	regsvr32.exe
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d91c10b6010d6e7593974ae3278cbbf3.exeregsvr32.exe

description	pid	process	target process
PID 1004 wrote to memory of 1772	1004	d91c10b6010d6e7593974ae3278cbbf3.exe	regsvr32.exe
PID 1004 wrote to memory of 1772	1004	d91c10b6010d6e7593974ae3278cbbf3.exe	regsvr32.exe
PID 1004 wrote to memory of 1772	1004	d91c10b6010d6e7593974ae3278cbbf3.exe	regsvr32.exe
PID 1004 wrote to memory of 1772	1004	d91c10b6010d6e7593974ae3278cbbf3.exe	regsvr32.exe
PID 1004 wrote to memory of 1772	1004	d91c10b6010d6e7593974ae3278cbbf3.exe	regsvr32.exe
PID 1004 wrote to memory of 1772	1004	d91c10b6010d6e7593974ae3278cbbf3.exe	regsvr32.exe
PID 1004 wrote to memory of 1772	1004	d91c10b6010d6e7593974ae3278cbbf3.exe	regsvr32.exe
PID 1772 wrote to memory of 1260	1772	regsvr32.exe	rundll32.exe
PID 1772 wrote to memory of 1260	1772	regsvr32.exe	rundll32.exe
PID 1772 wrote to memory of 1260	1772	regsvr32.exe	rundll32.exe
PID 1772 wrote to memory of 1260	1772	regsvr32.exe	rundll32.exe
PID 1772 wrote to memory of 1260	1772	regsvr32.exe	rundll32.exe
PID 1772 wrote to memory of 1260	1772	regsvr32.exe	rundll32.exe
PID 1772 wrote to memory of 1260	1772	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d91c10b6010d6e7593974ae3278cbbf3.exe
"C:\Users\Admin\AppData\Local\Temp\d91c10b6010d6e7593974ae3278cbbf3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\D91C10~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\D91C10~1.EXE@1004
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\D91C10~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D91C10~1.DLL

MD5
ee47cf3a53975de25fb71436f04f266d

SHA1
1ac4d7e566046a62d5708500c6c67fee81d1ad8f

SHA256
ad1cf4312a561c2a30370c71c5ddf74ccc2591f8f46417eab6bca0a37e320e7d

SHA512
4cf46ab54d93503b15ae2082cc40ca0416b542da280a42c0728e9b181cc22f1fab235b6100c5f5988e65f37ef6532c94012a18c402d89edfa5d4911ec5146bb8

Download Submit
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL

MD5
ee47cf3a53975de25fb71436f04f266d

SHA1
1ac4d7e566046a62d5708500c6c67fee81d1ad8f

SHA256
ad1cf4312a561c2a30370c71c5ddf74ccc2591f8f46417eab6bca0a37e320e7d

SHA512
4cf46ab54d93503b15ae2082cc40ca0416b542da280a42c0728e9b181cc22f1fab235b6100c5f5988e65f37ef6532c94012a18c402d89edfa5d4911ec5146bb8

Download Submit
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL

MD5
ee47cf3a53975de25fb71436f04f266d

SHA1
1ac4d7e566046a62d5708500c6c67fee81d1ad8f

SHA256
ad1cf4312a561c2a30370c71c5ddf74ccc2591f8f46417eab6bca0a37e320e7d

SHA512
4cf46ab54d93503b15ae2082cc40ca0416b542da280a42c0728e9b181cc22f1fab235b6100c5f5988e65f37ef6532c94012a18c402d89edfa5d4911ec5146bb8

Download Submit
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL

MD5
ee47cf3a53975de25fb71436f04f266d

SHA1
1ac4d7e566046a62d5708500c6c67fee81d1ad8f

SHA256
ad1cf4312a561c2a30370c71c5ddf74ccc2591f8f46417eab6bca0a37e320e7d

SHA512
4cf46ab54d93503b15ae2082cc40ca0416b542da280a42c0728e9b181cc22f1fab235b6100c5f5988e65f37ef6532c94012a18c402d89edfa5d4911ec5146bb8

Download Submit
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL

MD5
ee47cf3a53975de25fb71436f04f266d

SHA1
1ac4d7e566046a62d5708500c6c67fee81d1ad8f

SHA256
ad1cf4312a561c2a30370c71c5ddf74ccc2591f8f46417eab6bca0a37e320e7d

SHA512
4cf46ab54d93503b15ae2082cc40ca0416b542da280a42c0728e9b181cc22f1fab235b6100c5f5988e65f37ef6532c94012a18c402d89edfa5d4911ec5146bb8

Download Submit
\Users\Admin\AppData\Local\Temp\D91C10~1.DLL

MD5
ee47cf3a53975de25fb71436f04f266d

SHA1
1ac4d7e566046a62d5708500c6c67fee81d1ad8f

SHA256
ad1cf4312a561c2a30370c71c5ddf74ccc2591f8f46417eab6bca0a37e320e7d

SHA512
4cf46ab54d93503b15ae2082cc40ca0416b542da280a42c0728e9b181cc22f1fab235b6100c5f5988e65f37ef6532c94012a18c402d89edfa5d4911ec5146bb8

Download Submit
memory/1004-0-0x0000000001F80000-0x00000000021F7000-memory.dmp

Filesize
2.5MB

Download
memory/1004-1-0x0000000002200000-0x0000000002211000-memory.dmp

Filesize
68KB

Download
memory/1260-5-0x0000000000000000-mapping.dmp

Download
memory/1772-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing