danabot | 25dfa7709940a235749d6be1658b9bc7b650dd2cf9a61934cc3f6deb38e7f38a

General

Target

siri_1.exe
Size

2.6MB
MD5

71c0859705ea213fbb15685db30f2312
SHA1

21c2f4231259df8d3a14993e605c63150fb3aea8
SHA256

25dfa7709940a235749d6be1658b9bc7b650dd2cf9a61934cc3f6deb38e7f38a
SHA512

fea69c9ba099dc06002f336d767b14bb36f265dc1f8de0cf09139add98ad06e6ad9bef969bc53f8ebfe6ca734fba8146e3d21d3a102d6f8db5ad942c9484abf2

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

45.147.231.202

23.83.133.10

137.74.66.92

185.227.138.52

192.236.146.249

149.255.35.125

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\siri_1.dll	family_danabot
\Users\Admin\AppData\Local\Temp\siri_1.dll	family_danabot
\Users\Admin\AppData\Local\Temp\siri_1.dll	family_danabot
\Users\Admin\AppData\Local\Temp\siri_1.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

17 1100 rundll32.exe
21 1100 rundll32.exe
22 1100 rundll32.exe
24 1100 rundll32.exe
25 1100 rundll32.exe
27 1100 rundll32.exe
28 1100 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2284 regsvr32.exe
1100 rundll32.exe
1100 rundll32.exe

flow	pid	process
17	1100	rundll32.exe
21	1100	rundll32.exe
22	1100	rundll32.exe
24	1100	rundll32.exe
25	1100	rundll32.exe
27	1100	rundll32.exe
28	1100	rundll32.exe

pid	process
2284	regsvr32.exe
1100	rundll32.exe
1100	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

siri_1.exeregsvr32.exe

description	pid	process	target process
PID 580 wrote to memory of 2284	580	siri_1.exe	regsvr32.exe
PID 580 wrote to memory of 2284	580	siri_1.exe	regsvr32.exe
PID 580 wrote to memory of 2284	580	siri_1.exe	regsvr32.exe
PID 2284 wrote to memory of 1100	2284	regsvr32.exe	rundll32.exe
PID 2284 wrote to memory of 1100	2284	regsvr32.exe	rundll32.exe
PID 2284 wrote to memory of 1100	2284	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\siri_1.exe
"C:\Users\Admin\AppData\Local\Temp\siri_1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\siri_1.dll f1 C:\Users\Admin\AppData\Local\Temp\siri_1.exe@580
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\siri_1.dll,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\siri_1.dll
MD5
414bc892169d57d097d7fc1a04da3624

SHA1
fbf48c2ea902de9e216032ec867561023220d577

SHA256
a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798

SHA512
225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae

Download Submit
\Users\Admin\AppData\Local\Temp\siri_1.dll
MD5
414bc892169d57d097d7fc1a04da3624

SHA1
fbf48c2ea902de9e216032ec867561023220d577

SHA256
a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798

SHA512
225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae

Download Submit
\Users\Admin\AppData\Local\Temp\siri_1.dll
MD5
414bc892169d57d097d7fc1a04da3624

SHA1
fbf48c2ea902de9e216032ec867561023220d577

SHA256
a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798

SHA512
225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae

Download Submit
\Users\Admin\AppData\Local\Temp\siri_1.dll
MD5
414bc892169d57d097d7fc1a04da3624

SHA1
fbf48c2ea902de9e216032ec867561023220d577

SHA256
a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798

SHA512
225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae

Download Submit
memory/580-1-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1100-5-0x0000000000000000-mapping.dmp

Download
memory/2284-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing