danabot | 2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc

General

Target

2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc.exe
Size

1011KB
MD5

d45768ceae6cfdd8d41904340c72517a
SHA1

12062eca4bb9b412b8af3873d6224f5909153aaf
SHA256

2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc
SHA512

d2b91415aa026adebb126612a32cf6318af4289672d848016e19a301e40f8d28eb9dc477762270c098e936f10c2e07b1c31a497aeef5ecad7f338ee2cf1b86b5

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.58.130

2.56.213.39

5.61.56.192

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
11	3604	rundll32.exe
18	3604	rundll32.exe
19	3604	rundll32.exe
20	3604	rundll32.exe
21	3604	rundll32.exe
22	3604	rundll32.exe
23	3604	rundll32.exe
24	3604	rundll32.exe
25	3604	rundll32.exe
26	3604	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3328 regsvr32.exe
3604 rundll32.exe
3604 rundll32.exe

pid	process
3328	regsvr32.exe
3604	rundll32.exe
3604	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc.exeregsvr32.exe

description	pid	process	target process
PID 3904 wrote to memory of 3328	3904	2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc.exe	regsvr32.exe
PID 3904 wrote to memory of 3328	3904	2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc.exe	regsvr32.exe
PID 3904 wrote to memory of 3328	3904	2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc.exe	regsvr32.exe
PID 3328 wrote to memory of 3604	3328	regsvr32.exe	rundll32.exe
PID 3328 wrote to memory of 3604	3328	regsvr32.exe	rundll32.exe
PID 3328 wrote to memory of 3604	3328	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc.exe
"C:\Users\Admin\AppData\Local\Temp\2a67f7b5c5a1fae80726c98335f2be0533ab9a10ea6c26615ce67229fd3043bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\2A67F7~1.EXE@3904
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
\Users\Admin\AppData\Local\Temp\2A67F7~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
memory/3328-116-0x0000000000000000-mapping.dmp

Download
memory/3604-119-0x0000000000000000-mapping.dmp

Download
memory/3604-122-0x0000000004090000-0x0000000004155000-memory.dmp

Filesize
788KB

Download
memory/3904-114-0x0000000003480000-0x0000000003565000-memory.dmp

Filesize
916KB

Download
memory/3904-115-0x0000000000400000-0x0000000002EB2000-memory.dmp

Filesize
42.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads