danabot | 49f3d49a89443de2c5c954803aff0e8891c6a87c069c784dd67e373204590cd5

Analysis

max time kernel
143s
max time network
142s
platform
windows7_x64
resource
win7-en
submitted
11-09-2021 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe
Size

1.0MB
MD5

643203bc80de891208614cc77925373f
SHA1

0df0efd8a4d0cabcc8242d708e72cd11ec70b19b
SHA256

49f3d49a89443de2c5c954803aff0e8891c6a87c069c784dd67e373204590cd5
SHA512

c6666663e6831995f693b8561f128a1b791d01c92e6f3f31c298ec56806c01f8d6056046dadd33537574f868b3ded3011427d00ad4679eb27228236b70560e87

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

resource	yara_rule
behavioral1/files/0x0002000000012f13-57.dat	DanabotLoader2021
behavioral1/files/0x0002000000012f13-58.dat	DanabotLoader2021
behavioral1/files/0x0002000000012f13-59.dat	DanabotLoader2021
behavioral1/files/0x0002000000012f13-60.dat	DanabotLoader2021
behavioral1/files/0x0002000000012f13-61.dat	DanabotLoader2021
behavioral1/memory/2020-62-0x0000000001E80000-0x0000000001FE1000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2020	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2020	rundll32.exe
2020	rundll32.exe
2020	rundll32.exe
2020	rundll32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Gskyj.tmp	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	30
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	30
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	30
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	30
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	30
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	30
PID 2044 wrote to memory of 2020	2044	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	30

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,s C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-62-0x0000000001E80000-0x0000000001FE1000-memory.dmp

Filesize
1.4MB

Download
memory/2044-52-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/2044-53-0x0000000003C50000-0x0000000003D55000-memory.dmp

Filesize
1.0MB

Download
memory/2044-54-0x0000000000400000-0x000000000222A000-memory.dmp

Filesize
30.2MB

Download