danabot | f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18

General

Target

f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe
Size

1.0MB
MD5

60f54b040dacc7d25f7b4f19939669df
SHA1

1220b332ca4bca3255b1511c98a21394996d49ba
SHA256

f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18
SHA512

7fdd04fbdc195fff2fcd03d9110803d223c22274e79482f3a2fa54f5c7253b3dc67cc720bde5b1659a569eda6dc08cacf1d3904a91da0f70b5bc4c5f8923f63f

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.58.130

2.56.213.39

5.61.56.192

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 6 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
4	1664	rundll32.exe
5	1664	rundll32.exe
6	1664	rundll32.exe
7	1664	rundll32.exe
8	1664	rundll32.exe
9	1664	rundll32.exe
10	1664	rundll32.exe
11	1664	rundll32.exe
12	1664	rundll32.exe
13	1664	rundll32.exe

Loads dropped DLL 5 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1616 regsvr32.exe
1664 rundll32.exe
1664 rundll32.exe
1664 rundll32.exe
1664 rundll32.exe

pid	process
1616	regsvr32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exeregsvr32.exe

description	pid	process	target process
PID 1828 wrote to memory of 1616	1828	f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe	regsvr32.exe
PID 1828 wrote to memory of 1616	1828	f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe	regsvr32.exe
PID 1828 wrote to memory of 1616	1828	f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe	regsvr32.exe
PID 1828 wrote to memory of 1616	1828	f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe	regsvr32.exe
PID 1828 wrote to memory of 1616	1828	f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe	regsvr32.exe
PID 1828 wrote to memory of 1616	1828	f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe	regsvr32.exe
PID 1828 wrote to memory of 1616	1828	f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe	regsvr32.exe
PID 1616 wrote to memory of 1664	1616	regsvr32.exe	rundll32.exe
PID 1616 wrote to memory of 1664	1616	regsvr32.exe	rundll32.exe
PID 1616 wrote to memory of 1664	1616	regsvr32.exe	rundll32.exe
PID 1616 wrote to memory of 1664	1616	regsvr32.exe	rundll32.exe
PID 1616 wrote to memory of 1664	1616	regsvr32.exe	rundll32.exe
PID 1616 wrote to memory of 1664	1616	regsvr32.exe	rundll32.exe
PID 1616 wrote to memory of 1664	1616	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe
"C:\Users\Admin\AppData\Local\Temp\f4ece2e087a027df893f9575d2ca71102e96ad1048ce54727cccfff810343b18.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\F4ECE2~1.EXE@1828
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL
MD5
6e045fdcfc8a472a66dceea6f17ba305

SHA1
1a655dd227be19fbe590b13ea0c2fa7ec63182cd

SHA256
babe51ab28e526926fb129ad14dd3529e5de243739994dfe67615dfabcdab928

SHA512
72d65291e2eb63ee5e12b1142653f73208862b6fa0e45d4eb63f95bd8f5e556729a1317da417ffa1891a4229d9920c75e2ddfda144f69c675ad3835a2ffbb075

Download Submit
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL
MD5
6e045fdcfc8a472a66dceea6f17ba305

SHA1
1a655dd227be19fbe590b13ea0c2fa7ec63182cd

SHA256
babe51ab28e526926fb129ad14dd3529e5de243739994dfe67615dfabcdab928

SHA512
72d65291e2eb63ee5e12b1142653f73208862b6fa0e45d4eb63f95bd8f5e556729a1317da417ffa1891a4229d9920c75e2ddfda144f69c675ad3835a2ffbb075

Download Submit
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL
MD5
6e045fdcfc8a472a66dceea6f17ba305

SHA1
1a655dd227be19fbe590b13ea0c2fa7ec63182cd

SHA256
babe51ab28e526926fb129ad14dd3529e5de243739994dfe67615dfabcdab928

SHA512
72d65291e2eb63ee5e12b1142653f73208862b6fa0e45d4eb63f95bd8f5e556729a1317da417ffa1891a4229d9920c75e2ddfda144f69c675ad3835a2ffbb075

Download Submit
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL
MD5
6e045fdcfc8a472a66dceea6f17ba305

SHA1
1a655dd227be19fbe590b13ea0c2fa7ec63182cd

SHA256
babe51ab28e526926fb129ad14dd3529e5de243739994dfe67615dfabcdab928

SHA512
72d65291e2eb63ee5e12b1142653f73208862b6fa0e45d4eb63f95bd8f5e556729a1317da417ffa1891a4229d9920c75e2ddfda144f69c675ad3835a2ffbb075

Download Submit
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL
MD5
6e045fdcfc8a472a66dceea6f17ba305

SHA1
1a655dd227be19fbe590b13ea0c2fa7ec63182cd

SHA256
babe51ab28e526926fb129ad14dd3529e5de243739994dfe67615dfabcdab928

SHA512
72d65291e2eb63ee5e12b1142653f73208862b6fa0e45d4eb63f95bd8f5e556729a1317da417ffa1891a4229d9920c75e2ddfda144f69c675ad3835a2ffbb075

Download Submit
\Users\Admin\AppData\Local\Temp\F4ECE2~1.DLL
MD5
6e045fdcfc8a472a66dceea6f17ba305

SHA1
1a655dd227be19fbe590b13ea0c2fa7ec63182cd

SHA256
babe51ab28e526926fb129ad14dd3529e5de243739994dfe67615dfabcdab928

SHA512
72d65291e2eb63ee5e12b1142653f73208862b6fa0e45d4eb63f95bd8f5e556729a1317da417ffa1891a4229d9920c75e2ddfda144f69c675ad3835a2ffbb075

Download Submit
memory/1616-62-0x0000000000000000-mapping.dmp

Download
memory/1616-63-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1616-66-0x0000000000AF0000-0x0000000000BB2000-memory.dmp

Filesize
776KB

Download
memory/1664-67-0x0000000000000000-mapping.dmp

Download
memory/1828-60-0x0000000000630000-0x0000000000710000-memory.dmp

Filesize
896KB

Download
memory/1828-61-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads