danabot | c0adc2099ae21ac92cb680941eba342bdc73a7ca10bffd888c2fcae2e53bae9a

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7v20210410
submitted
30-07-2021 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f780418896a455d2de3f6f4bcd58c8.exe
Size

1.2MB
MD5

46f780418896a455d2de3f6f4bcd58c8
SHA1

2e3eee8b2ed1c38d2576081c248548a1c014ed88
SHA256

c0adc2099ae21ac92cb680941eba342bdc73a7ca10bffd888c2fcae2e53bae9a
SHA512

8bfd6522f682c5cdb591e466d3a99aa6e1d5276fa27f800b3c935af0c969de13bd3d564afa468ecefa84a295e2471d8350970d4e460211557e89e2fa65199708

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 3 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130ff-62.dat	DanabotLoader2021
behavioral1/memory/1692-64-0x0000000000990000-0x0000000000AEE000-memory.dmp	DanabotLoader2021
behavioral1/files/0x00040000000130ff-63.dat	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1692	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1692	rundll32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	29
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	29
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	29
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	29
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	29
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	29
PID 752 wrote to memory of 1692	752	46f780418896a455d2de3f6f4bcd58c8.exe	29

C:\Users\Admin\AppData\Local\Temp\46f780418896a455d2de3f6f4bcd58c8.exe
"C:\Users\Admin\AppData\Local\Temp\46f780418896a455d2de3f6f4bcd58c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\46F780~1.TMP,S C:\Users\Admin\AppData\Local\Temp\46F780~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/752-65-0x0000000004C40000-0x0000000004D3F000-memory.dmp

Filesize
1020KB

Download
memory/752-66-0x0000000000400000-0x000000000332A000-memory.dmp

Filesize
47.2MB

Download
memory/1692-64-0x0000000000990000-0x0000000000AEE000-memory.dmp

Filesize
1.4MB

Download