danabot | 6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb

General

Target

6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb.exe
Size

1011KB
MD5

e8e4a5dbac5a64dbe4b134ecd5732c4e
SHA1

eaa845953ff0fa95a1901c3630e51cef1c9c3edb
SHA256

6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb
SHA512

cbf46029ed65e8dfa9aa2c93b4e8879092dd5bdd02cf467408ce085631ec3d695342765865fb0dd656b2822cb438fe8dc4b7804c6010ad4db9d79e8464326370

Score

10^/10

danabot banker botnet trojan

Malware Config

Extracted

Family

danabot

C2

5.61.58.130

2.56.213.39

5.61.56.192

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6580B3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\6580B3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\6580B3~1.DLL	family_danabot
\Users\Admin\AppData\Local\Temp\6580B3~1.DLL	family_danabot

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
10	2976	rundll32.exe
11	2976	rundll32.exe
12	2976	rundll32.exe
13	2976	rundll32.exe
14	2976	rundll32.exe
15	2976	rundll32.exe
16	2976	rundll32.exe
17	2976	rundll32.exe
18	2976	rundll32.exe
29	2976	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3180 regsvr32.exe
3180 regsvr32.exe
2976 rundll32.exe

pid	process
3180	regsvr32.exe
3180	regsvr32.exe
2976	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb.exeregsvr32.exe

description	pid	process	target process
PID 776 wrote to memory of 3180	776	6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb.exe	regsvr32.exe
PID 776 wrote to memory of 3180	776	6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb.exe	regsvr32.exe
PID 776 wrote to memory of 3180	776	6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb.exe	regsvr32.exe
PID 3180 wrote to memory of 2976	3180	regsvr32.exe	rundll32.exe
PID 3180 wrote to memory of 2976	3180	regsvr32.exe	rundll32.exe
PID 3180 wrote to memory of 2976	3180	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb.exe
"C:\Users\Admin\AppData\Local\Temp\6580b317fa344c60c98d15f71a92fd9ca77d7431e4095a73cd8066510d938aeb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\6580B3~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\6580B3~1.EXE@776
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6580B3~1.DLL,f0
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6580B3~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
\Users\Admin\AppData\Local\Temp\6580B3~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
\Users\Admin\AppData\Local\Temp\6580B3~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
\Users\Admin\AppData\Local\Temp\6580B3~1.DLL
MD5
d0222d175fa9e6a023fbaaa371a1c19f

SHA1
584a456d8e342e503f3f114b5311d1cb3ecb6134

SHA256
d81abbc3a01e4f2afac7a6f7b4eb4bc54af3880d226ecd787205b63e9f115e8c

SHA512
eda1f660e22fb23576b1a31e991b52051e124c4477fcf8f5e46e2f39fe53c06633fa0db584921fb3595b1cef2c0d314c83a077655d130f4baa9a690a3b7ef423

Download Submit
memory/776-114-0x0000000003560000-0x0000000003645000-memory.dmp

Filesize
916KB

Download
memory/776-115-0x0000000000400000-0x0000000002EB2000-memory.dmp

Filesize
42.7MB

Download
memory/2976-121-0x0000000000000000-mapping.dmp

Download
memory/3180-116-0x0000000000000000-mapping.dmp

Download
memory/3180-120-0x0000000004340000-0x0000000004405000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads