danabot | 49f3d49a89443de2c5c954803aff0e8891c6a87c069c784dd67e373204590cd5

General

Target

SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe
Size

1.0MB
MD5

643203bc80de891208614cc77925373f
SHA1

0df0efd8a4d0cabcc8242d708e72cd11ec70b19b
SHA256

49f3d49a89443de2c5c954803aff0e8891c6a87c069c784dd67e373204590cd5
SHA512

c6666663e6831995f693b8561f128a1b791d01c92e6f3f31c298ec56806c01f8d6056046dadd33537574f868b3ded3011427d00ad4679eb27228236b70560e87

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	DanabotLoader2021
behavioral1/memory/2020-62-0x0000000001E80000-0x0000000001FE1000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

3 2020 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2020 rundll32.exe
2020 rundll32.exe
2020 rundll32.exe
2020 rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Gskyj.tmp rundll32.exe

flow	pid	process
3	2020	rundll32.exe

pid	process
2020	rundll32.exe
2020	rundll32.exe
2020	rundll32.exe
2020	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Gskyj.tmp	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe

description	pid	process	target process
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,s C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
619cc0dd311737393371cfda6bb57b91

SHA1
f9f000480eb9daad7c73cd1c48f8822ac278e19f

SHA256
025da2d73d48ec45e30c3238e5b1ddc84989035265b07e86b1627fb6cdc4cfce

SHA512
f2afd2a3bb26d450f8a7914043b9575e6d57936b12e26f6412e4528b7f84bada0004067b1281058be968f757190a7362c77ae2df2bb9fcd632919b7ef13a78f0

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
619cc0dd311737393371cfda6bb57b91

SHA1
f9f000480eb9daad7c73cd1c48f8822ac278e19f

SHA256
025da2d73d48ec45e30c3238e5b1ddc84989035265b07e86b1627fb6cdc4cfce

SHA512
f2afd2a3bb26d450f8a7914043b9575e6d57936b12e26f6412e4528b7f84bada0004067b1281058be968f757190a7362c77ae2df2bb9fcd632919b7ef13a78f0

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
619cc0dd311737393371cfda6bb57b91

SHA1
f9f000480eb9daad7c73cd1c48f8822ac278e19f

SHA256
025da2d73d48ec45e30c3238e5b1ddc84989035265b07e86b1627fb6cdc4cfce

SHA512
f2afd2a3bb26d450f8a7914043b9575e6d57936b12e26f6412e4528b7f84bada0004067b1281058be968f757190a7362c77ae2df2bb9fcd632919b7ef13a78f0

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
619cc0dd311737393371cfda6bb57b91

SHA1
f9f000480eb9daad7c73cd1c48f8822ac278e19f

SHA256
025da2d73d48ec45e30c3238e5b1ddc84989035265b07e86b1627fb6cdc4cfce

SHA512
f2afd2a3bb26d450f8a7914043b9575e6d57936b12e26f6412e4528b7f84bada0004067b1281058be968f757190a7362c77ae2df2bb9fcd632919b7ef13a78f0

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
619cc0dd311737393371cfda6bb57b91

SHA1
f9f000480eb9daad7c73cd1c48f8822ac278e19f

SHA256
025da2d73d48ec45e30c3238e5b1ddc84989035265b07e86b1627fb6cdc4cfce

SHA512
f2afd2a3bb26d450f8a7914043b9575e6d57936b12e26f6412e4528b7f84bada0004067b1281058be968f757190a7362c77ae2df2bb9fcd632919b7ef13a78f0

Download Submit
memory/2020-55-0x0000000000000000-mapping.dmp

Download
memory/2020-62-0x0000000001E80000-0x0000000001FE1000-memory.dmp

Filesize
1.4MB

Download
memory/2044-52-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/2044-53-0x0000000003C50000-0x0000000003D55000-memory.dmp

Filesize
1.0MB

Download
memory/2044-54-0x0000000000400000-0x000000000222A000-memory.dmp

Filesize
30.2MB

Download

Analysis

Sharing