danabot | f6f17df29850bf734970fd18cc9c8fbf1e7cc901c2f0a823b1743c5866394254

Analysis

max time kernel
136s
max time network
185s
platform
windows7_x64
resource
win7v20210408
submitted
14-09-2021 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194da08d62700deae3dfbc9ecbf0fb03.exe
Size

1.2MB
MD5

194da08d62700deae3dfbc9ecbf0fb03
SHA1

e7385bf842b7a8e72227fa9b98454ea4841d980a
SHA256

f6f17df29850bf734970fd18cc9c8fbf1e7cc901c2f0a823b1743c5866394254
SHA512

e56c674f9116e8c5cf1eb4cac434b7347eaaeb4392b5af229dee6f9bcd3f07b530c78223c020f62ce3df6ae4f02ed3051cdea6b3b44d15dc7b40d60c8128e211

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130c9-65.dat	DanabotLoader2021
behavioral1/files/0x00040000000130c9-68.dat	DanabotLoader2021
behavioral1/files/0x00040000000130c9-67.dat	DanabotLoader2021
behavioral1/files/0x00040000000130c9-66.dat	DanabotLoader2021
behavioral1/memory/1772-70-0x0000000000A50000-0x0000000000BB2000-memory.dmp	DanabotLoader2021
behavioral1/files/0x00040000000130c9-69.dat	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1772	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1772	1924	194da08d62700deae3dfbc9ecbf0fb03.exe	29
PID 1924 wrote to memory of 1772	1924	194da08d62700deae3dfbc9ecbf0fb03.exe	29
PID 1924 wrote to memory of 1772	1924	194da08d62700deae3dfbc9ecbf0fb03.exe	29
PID 1924 wrote to memory of 1772	1924	194da08d62700deae3dfbc9ecbf0fb03.exe	29
PID 1924 wrote to memory of 1772	1924	194da08d62700deae3dfbc9ecbf0fb03.exe	29
PID 1924 wrote to memory of 1772	1924	194da08d62700deae3dfbc9ecbf0fb03.exe	29
PID 1924 wrote to memory of 1772	1924	194da08d62700deae3dfbc9ecbf0fb03.exe	29

C:\Users\Admin\AppData\Local\Temp\194da08d62700deae3dfbc9ecbf0fb03.exe
"C:\Users\Admin\AppData\Local\Temp\194da08d62700deae3dfbc9ecbf0fb03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\194DA0~1.DLL,s C:\Users\Admin\AppData\Local\Temp\194DA0~1.EXE
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1772-70-0x0000000000A50000-0x0000000000BB2000-memory.dmp

Filesize
1.4MB

Download
memory/1924-60-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1924-61-0x0000000003270000-0x0000000003375000-memory.dmp

Filesize
1.0MB

Download
memory/1924-62-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download