danabot | c0adc2099ae21ac92cb680941eba342bdc73a7ca10bffd888c2fcae2e53bae9a

General

Target

46f780418896a455d2de3f6f4bcd58c8.exe
Size

1.2MB
MD5

46f780418896a455d2de3f6f4bcd58c8
SHA1

2e3eee8b2ed1c38d2576081c248548a1c014ed88
SHA256

c0adc2099ae21ac92cb680941eba342bdc73a7ca10bffd888c2fcae2e53bae9a
SHA512

8bfd6522f682c5cdb591e466d3a99aa6e1d5276fa27f800b3c935af0c969de13bd3d564afa468ecefa84a295e2471d8350970d4e460211557e89e2fa65199708

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\46F780~1.TMP	DanabotLoader2021
behavioral1/memory/1692-64-0x0000000000990000-0x0000000000AEE000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\46F780~1.TMP	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

3 1692 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1692 rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe

flow	pid	process
3	1692	rundll32.exe

pid	process
1692	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

46f780418896a455d2de3f6f4bcd58c8.exe

description	pid	process	target process
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	rundll32.exe
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	rundll32.exe
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	rundll32.exe
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	rundll32.exe
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	rundll32.exe
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	rundll32.exe
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\46f780418896a455d2de3f6f4bcd58c8.exe
"C:\Users\Admin\AppData\Local\Temp\46f780418896a455d2de3f6f4bcd58c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\46F780~1.TMP,S C:\Users\Admin\AppData\Local\Temp\46F780~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46F780~1.TMP
MD5
54ace81de31e2fa24537fad878dd6c6a

SHA1
2618c4e2d833f30cf33cdc1e196867e4c197788e

SHA256
d452582875976bef31829b3918a52489bbbba35f00f072219112a24429dfa844

SHA512
0dae08f3faa504218c4805bf430a8fde3098b82167fef69ece2b3d66cd4130f98e19d37a84163ee3cc0554e93dc7790baa528953fe5f775664cfad2967c175cf

Download Submit
\Users\Admin\AppData\Local\Temp\46F780~1.TMP
MD5
54ace81de31e2fa24537fad878dd6c6a

SHA1
2618c4e2d833f30cf33cdc1e196867e4c197788e

SHA256
d452582875976bef31829b3918a52489bbbba35f00f072219112a24429dfa844

SHA512
0dae08f3faa504218c4805bf430a8fde3098b82167fef69ece2b3d66cd4130f98e19d37a84163ee3cc0554e93dc7790baa528953fe5f775664cfad2967c175cf

Download Submit
memory/752-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/752-65-0x0000000004C40000-0x0000000004D3F000-memory.dmp

Filesize
1020KB

Download
memory/752-66-0x0000000000400000-0x000000000332A000-memory.dmp

Filesize
47.2MB

Download
memory/1692-60-0x0000000000000000-mapping.dmp

Download
memory/1692-64-0x0000000000990000-0x0000000000AEE000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing