danabot | 49f3d49a89443de2c5c954803aff0e8891c6a87c069c784dd67e373204590cd5

Analysis

Target

SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe
Size

1.0MB
MD5

643203bc80de891208614cc77925373f
SHA1

0df0efd8a4d0cabcc8242d708e72cd11ec70b19b
SHA256

49f3d49a89443de2c5c954803aff0e8891c6a87c069c784dd67e373204590cd5
SHA512

c6666663e6831995f693b8561f128a1b791d01c92e6f3f31c298ec56806c01f8d6056046dadd33537574f868b3ded3011427d00ad4679eb27228236b70560e87

Score

10^/10

Family

danabot

23.229.29.48:443

5.9.224.204:443

192.210.222.81:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

13 4024 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4024 rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Gskyj.tmp rundll32.exe

flow	pid	process
13	4024	rundll32.exe

pid	process
4024	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Gskyj.tmp	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe

description	pid	process	target process
PID 396 wrote to memory of 4024	396	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 396 wrote to memory of 4024	396	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe
PID 396 wrote to memory of 4024	396	SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.27858.20227.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,s C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:4024

C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
3086f448ea41393ead87bbb73715c900

SHA1
457f17e0123845ed533d014f3c8e24c65c653058

SHA256
b5cdb288f34e11afae9512b0c7a08d784b38ca571731c60441e78e2c10c28e77

SHA512
5da8d8314d0e3a3d199259dcd121ca1c25db324e1107dd66ac1ea99dfb4052cfae5c2eba2beeca665be00db546262b613809d2136e2da698050e44854b868451

Download Submit
\Users\Admin\AppData\Local\Temp\SECURI~1.DLL

MD5
3086f448ea41393ead87bbb73715c900

SHA1
457f17e0123845ed533d014f3c8e24c65c653058

SHA256
b5cdb288f34e11afae9512b0c7a08d784b38ca571731c60441e78e2c10c28e77

SHA512
5da8d8314d0e3a3d199259dcd121ca1c25db324e1107dd66ac1ea99dfb4052cfae5c2eba2beeca665be00db546262b613809d2136e2da698050e44854b868451

Download Submit
memory/396-114-0x00000000040F0000-0x00000000041F5000-memory.dmp

Filesize
1.0MB

Download
memory/396-115-0x0000000000400000-0x000000000222A000-memory.dmp

Filesize
30.2MB

Download
memory/4024-116-0x0000000000000000-mapping.dmp

Download