danabot | 9309025b86610fc4dade312f3681fa0e9370dcecca1563393fe4866d4e718d19

General

Target

b02c3131bf5fb12b3fae117632dc86ed.exe
Size

2.6MB
MD5

b02c3131bf5fb12b3fae117632dc86ed
SHA1

4fcc44307fa4c5826a7d33109917b3cb436722fd
SHA256

9309025b86610fc4dade312f3681fa0e9370dcecca1563393fe4866d4e718d19
SHA512

00c388778f35becdcbf0460b57cc5bedad70cdbf7872e9a3d1ce55d17a5690a3c5374e9610ba1c729e6e1a1574c4cfa27908904c18e3bd77438c78d2371d76dd

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

45.147.231.202

23.83.133.10

137.74.66.92

185.227.138.52

192.236.146.249

149.255.35.125

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B02C31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

2 1652 rundll32.exe
5 1652 rundll32.exe
6 1652 rundll32.exe
9 1652 rundll32.exe
10 1652 rundll32.exe
11 1652 rundll32.exe
12 1652 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1768 regsvr32.exe
1652 rundll32.exe
1652 rundll32.exe
1652 rundll32.exe
1652 rundll32.exe

flow	pid	process
2	1652	rundll32.exe
5	1652	rundll32.exe
6	1652	rundll32.exe
9	1652	rundll32.exe
10	1652	rundll32.exe
11	1652	rundll32.exe
12	1652	rundll32.exe

pid	process
1768	regsvr32.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe
1652	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b02c3131bf5fb12b3fae117632dc86ed.exeregsvr32.exe

description	pid	process	target process
PID 748 wrote to memory of 1768	748	b02c3131bf5fb12b3fae117632dc86ed.exe	regsvr32.exe
PID 748 wrote to memory of 1768	748	b02c3131bf5fb12b3fae117632dc86ed.exe	regsvr32.exe
PID 748 wrote to memory of 1768	748	b02c3131bf5fb12b3fae117632dc86ed.exe	regsvr32.exe
PID 748 wrote to memory of 1768	748	b02c3131bf5fb12b3fae117632dc86ed.exe	regsvr32.exe
PID 748 wrote to memory of 1768	748	b02c3131bf5fb12b3fae117632dc86ed.exe	regsvr32.exe
PID 748 wrote to memory of 1768	748	b02c3131bf5fb12b3fae117632dc86ed.exe	regsvr32.exe
PID 748 wrote to memory of 1768	748	b02c3131bf5fb12b3fae117632dc86ed.exe	regsvr32.exe
PID 1768 wrote to memory of 1652	1768	regsvr32.exe	rundll32.exe
PID 1768 wrote to memory of 1652	1768	regsvr32.exe	rundll32.exe
PID 1768 wrote to memory of 1652	1768	regsvr32.exe	rundll32.exe
PID 1768 wrote to memory of 1652	1768	regsvr32.exe	rundll32.exe
PID 1768 wrote to memory of 1652	1768	regsvr32.exe	rundll32.exe
PID 1768 wrote to memory of 1652	1768	regsvr32.exe	rundll32.exe
PID 1768 wrote to memory of 1652	1768	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b02c3131bf5fb12b3fae117632dc86ed.exe
"C:\Users\Admin\AppData\Local\Temp\b02c3131bf5fb12b3fae117632dc86ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\B02C31~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\B02C31~1.EXE@748
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B02C31~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B02C31~1.DLL
MD5
13d2e6ddb55445d5d0866a9dcf8005ac

SHA1
16bc1fc71a7108cfe000ce19f10153a1f314760b

SHA256
da8a0dfaf5a35566fc013022fb512c836ce4d299d90b56ce553feb216b198338

SHA512
1ce66318ef4dd2677da8bde32a7f5b0dc90badca70eff12c0e03f08132fb8c41434207047cecd898c1dada75d6ba10285d1633a5d34757e572ee541dc9371dc8

Download Submit
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL
MD5
13d2e6ddb55445d5d0866a9dcf8005ac

SHA1
16bc1fc71a7108cfe000ce19f10153a1f314760b

SHA256
da8a0dfaf5a35566fc013022fb512c836ce4d299d90b56ce553feb216b198338

SHA512
1ce66318ef4dd2677da8bde32a7f5b0dc90badca70eff12c0e03f08132fb8c41434207047cecd898c1dada75d6ba10285d1633a5d34757e572ee541dc9371dc8

Download Submit
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL
MD5
13d2e6ddb55445d5d0866a9dcf8005ac

SHA1
16bc1fc71a7108cfe000ce19f10153a1f314760b

SHA256
da8a0dfaf5a35566fc013022fb512c836ce4d299d90b56ce553feb216b198338

SHA512
1ce66318ef4dd2677da8bde32a7f5b0dc90badca70eff12c0e03f08132fb8c41434207047cecd898c1dada75d6ba10285d1633a5d34757e572ee541dc9371dc8

Download Submit
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL
MD5
13d2e6ddb55445d5d0866a9dcf8005ac

SHA1
16bc1fc71a7108cfe000ce19f10153a1f314760b

SHA256
da8a0dfaf5a35566fc013022fb512c836ce4d299d90b56ce553feb216b198338

SHA512
1ce66318ef4dd2677da8bde32a7f5b0dc90badca70eff12c0e03f08132fb8c41434207047cecd898c1dada75d6ba10285d1633a5d34757e572ee541dc9371dc8

Download Submit
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL
MD5
13d2e6ddb55445d5d0866a9dcf8005ac

SHA1
16bc1fc71a7108cfe000ce19f10153a1f314760b

SHA256
da8a0dfaf5a35566fc013022fb512c836ce4d299d90b56ce553feb216b198338

SHA512
1ce66318ef4dd2677da8bde32a7f5b0dc90badca70eff12c0e03f08132fb8c41434207047cecd898c1dada75d6ba10285d1633a5d34757e572ee541dc9371dc8

Download Submit
\Users\Admin\AppData\Local\Temp\B02C31~1.DLL
MD5
13d2e6ddb55445d5d0866a9dcf8005ac

SHA1
16bc1fc71a7108cfe000ce19f10153a1f314760b

SHA256
da8a0dfaf5a35566fc013022fb512c836ce4d299d90b56ce553feb216b198338

SHA512
1ce66318ef4dd2677da8bde32a7f5b0dc90badca70eff12c0e03f08132fb8c41434207047cecd898c1dada75d6ba10285d1633a5d34757e572ee541dc9371dc8

Download Submit
memory/748-0-0x00000000029C0000-0x0000000002C37000-memory.dmp

Filesize
2.5MB

Download
memory/748-1-0x0000000002C40000-0x0000000002C51000-memory.dmp

Filesize
68KB

Download
memory/1652-5-0x0000000000000000-mapping.dmp

Download
memory/1768-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing