danabot | 1c7b6dfdbd6117dd089c5e7df2dd6e61a36d1878dbe61e1c2d91f44da2da14fc

General

Target

siri_active_2.exe
Size

2.6MB
MD5

3d0756f3fa6d259adbddb73baf1fb23b
SHA1

2780840b4c4fd06e0a9fef8e6392aae3065b2e4d
SHA256

1c7b6dfdbd6117dd089c5e7df2dd6e61a36d1878dbe61e1c2d91f44da2da14fc
SHA512

4dccaa3913f7326e65e2e803af90bb799f2f5045245a10f382d9000186a93d1af1cd668d60f16ee27cef43bdc966efb67b7c844c58b9ec2829552327f6a56084

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

92.204.160.126

193.34.166.26

93.115.22.159

93.115.22.165

185.227.138.52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

4 848 rundll32.exe
7 848 rundll32.exe
8 848 rundll32.exe
9 848 rundll32.exe
10 848 rundll32.exe
13 848 rundll32.exe
14 848 rundll32.exe
Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1688 regsvr32.exe
848 rundll32.exe
848 rundll32.exe
848 rundll32.exe
848 rundll32.exe

flow	pid	process
4	848	rundll32.exe
7	848	rundll32.exe
8	848	rundll32.exe
9	848	rundll32.exe
10	848	rundll32.exe
13	848	rundll32.exe
14	848	rundll32.exe

pid	process
1688	regsvr32.exe
848	rundll32.exe
848	rundll32.exe
848	rundll32.exe
848	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

siri_active_2.exeregsvr32.exe

description	pid	process	target process
PID 1040 wrote to memory of 1688	1040	siri_active_2.exe	regsvr32.exe
PID 1040 wrote to memory of 1688	1040	siri_active_2.exe	regsvr32.exe
PID 1040 wrote to memory of 1688	1040	siri_active_2.exe	regsvr32.exe
PID 1040 wrote to memory of 1688	1040	siri_active_2.exe	regsvr32.exe
PID 1040 wrote to memory of 1688	1040	siri_active_2.exe	regsvr32.exe
PID 1040 wrote to memory of 1688	1040	siri_active_2.exe	regsvr32.exe
PID 1040 wrote to memory of 1688	1040	siri_active_2.exe	regsvr32.exe
PID 1688 wrote to memory of 848	1688	regsvr32.exe	rundll32.exe
PID 1688 wrote to memory of 848	1688	regsvr32.exe	rundll32.exe
PID 1688 wrote to memory of 848	1688	regsvr32.exe	rundll32.exe
PID 1688 wrote to memory of 848	1688	regsvr32.exe	rundll32.exe
PID 1688 wrote to memory of 848	1688	regsvr32.exe	rundll32.exe
PID 1688 wrote to memory of 848	1688	regsvr32.exe	rundll32.exe
PID 1688 wrote to memory of 848	1688	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\siri_active_2.exe
"C:\Users\Admin\AppData\Local\Temp\siri_active_2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SIRI_A~1.EXE@1040
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL
MD5
17a152a9c199508bc77e67f0dcacf6b9

SHA1
dffb7313156364818b857ed1e7837222007dd389

SHA256
affc44017d528d13e26e76da27ab36da940cd26c5ebe30ca0c5531d543c7a92f

SHA512
64c139f36d25efd99354b30288e504dc5a9376666d1a63ccf1779e0e312e55b2b2c31c804e3d88d25311342df0156e616c67d7b843c07f673272410f442022dc

Download Submit
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL
MD5
17a152a9c199508bc77e67f0dcacf6b9

SHA1
dffb7313156364818b857ed1e7837222007dd389

SHA256
affc44017d528d13e26e76da27ab36da940cd26c5ebe30ca0c5531d543c7a92f

SHA512
64c139f36d25efd99354b30288e504dc5a9376666d1a63ccf1779e0e312e55b2b2c31c804e3d88d25311342df0156e616c67d7b843c07f673272410f442022dc

Download Submit
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL
MD5
17a152a9c199508bc77e67f0dcacf6b9

SHA1
dffb7313156364818b857ed1e7837222007dd389

SHA256
affc44017d528d13e26e76da27ab36da940cd26c5ebe30ca0c5531d543c7a92f

SHA512
64c139f36d25efd99354b30288e504dc5a9376666d1a63ccf1779e0e312e55b2b2c31c804e3d88d25311342df0156e616c67d7b843c07f673272410f442022dc

Download Submit
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL
MD5
17a152a9c199508bc77e67f0dcacf6b9

SHA1
dffb7313156364818b857ed1e7837222007dd389

SHA256
affc44017d528d13e26e76da27ab36da940cd26c5ebe30ca0c5531d543c7a92f

SHA512
64c139f36d25efd99354b30288e504dc5a9376666d1a63ccf1779e0e312e55b2b2c31c804e3d88d25311342df0156e616c67d7b843c07f673272410f442022dc

Download Submit
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL
MD5
17a152a9c199508bc77e67f0dcacf6b9

SHA1
dffb7313156364818b857ed1e7837222007dd389

SHA256
affc44017d528d13e26e76da27ab36da940cd26c5ebe30ca0c5531d543c7a92f

SHA512
64c139f36d25efd99354b30288e504dc5a9376666d1a63ccf1779e0e312e55b2b2c31c804e3d88d25311342df0156e616c67d7b843c07f673272410f442022dc

Download Submit
\Users\Admin\AppData\Local\Temp\SIRI_A~1.DLL
MD5
17a152a9c199508bc77e67f0dcacf6b9

SHA1
dffb7313156364818b857ed1e7837222007dd389

SHA256
affc44017d528d13e26e76da27ab36da940cd26c5ebe30ca0c5531d543c7a92f

SHA512
64c139f36d25efd99354b30288e504dc5a9376666d1a63ccf1779e0e312e55b2b2c31c804e3d88d25311342df0156e616c67d7b843c07f673272410f442022dc

Download Submit
memory/848-5-0x0000000000000000-mapping.dmp

Download
memory/1040-0-0x0000000004FD0000-0x0000000005247000-memory.dmp

Filesize
2.5MB

Download
memory/1040-1-0x0000000005250000-0x0000000005261000-memory.dmp

Filesize
68KB

Download
memory/1688-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing