Analysis

  • max time kernel
    136s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-09-2021 11:40

General

  • Target

    194da08d62700deae3dfbc9ecbf0fb03.exe

  • Size

    1.2MB

  • MD5

    194da08d62700deae3dfbc9ecbf0fb03

  • SHA1

    e7385bf842b7a8e72227fa9b98454ea4841d980a

  • SHA256

    f6f17df29850bf734970fd18cc9c8fbf1e7cc901c2f0a823b1743c5866394254

  • SHA512

    e56c674f9116e8c5cf1eb4cac434b7347eaaeb4392b5af229dee6f9bcd3f07b530c78223c020f62ce3df6ae4f02ed3051cdea6b3b44d15dc7b40d60c8128e211

Score
10/10

Malware Config

Extracted

Family

danabot

C2

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes
  • embedded_hash

    0E1A7A1479C37094441FA911262B322A

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\194da08d62700deae3dfbc9ecbf0fb03.exe
    "C:\Users\Admin\AppData\Local\Temp\194da08d62700deae3dfbc9ecbf0fb03.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\194DA0~1.DLL,s C:\Users\Admin\AppData\Local\Temp\194DA0~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\194DA0~1.DLL
    MD5

    8f8f39712be1cbff8021212a2664c13c

    SHA1

    440cb08b24c35e8bb68fac0c935244cf364af43f

    SHA256

    f5f6918b80c7d3af4130fc3b4c16b3557d66d055f701112809a1b5442da2a12d

    SHA512

    34fc25caae888c12c64a600478f5e3757ed37b316c08c4315626c8f17d84ab6aa66d3a66fe5eaeb132d99de1799c14f5b0e088a944c2c2f5b76b3f1c4eef43d2

  • \Users\Admin\AppData\Local\Temp\194DA0~1.DLL
    MD5

    8f8f39712be1cbff8021212a2664c13c

    SHA1

    440cb08b24c35e8bb68fac0c935244cf364af43f

    SHA256

    f5f6918b80c7d3af4130fc3b4c16b3557d66d055f701112809a1b5442da2a12d

    SHA512

    34fc25caae888c12c64a600478f5e3757ed37b316c08c4315626c8f17d84ab6aa66d3a66fe5eaeb132d99de1799c14f5b0e088a944c2c2f5b76b3f1c4eef43d2

  • \Users\Admin\AppData\Local\Temp\194DA0~1.DLL
    MD5

    8f8f39712be1cbff8021212a2664c13c

    SHA1

    440cb08b24c35e8bb68fac0c935244cf364af43f

    SHA256

    f5f6918b80c7d3af4130fc3b4c16b3557d66d055f701112809a1b5442da2a12d

    SHA512

    34fc25caae888c12c64a600478f5e3757ed37b316c08c4315626c8f17d84ab6aa66d3a66fe5eaeb132d99de1799c14f5b0e088a944c2c2f5b76b3f1c4eef43d2

  • \Users\Admin\AppData\Local\Temp\194DA0~1.DLL
    MD5

    8f8f39712be1cbff8021212a2664c13c

    SHA1

    440cb08b24c35e8bb68fac0c935244cf364af43f

    SHA256

    f5f6918b80c7d3af4130fc3b4c16b3557d66d055f701112809a1b5442da2a12d

    SHA512

    34fc25caae888c12c64a600478f5e3757ed37b316c08c4315626c8f17d84ab6aa66d3a66fe5eaeb132d99de1799c14f5b0e088a944c2c2f5b76b3f1c4eef43d2

  • \Users\Admin\AppData\Local\Temp\194DA0~1.DLL
    MD5

    8f8f39712be1cbff8021212a2664c13c

    SHA1

    440cb08b24c35e8bb68fac0c935244cf364af43f

    SHA256

    f5f6918b80c7d3af4130fc3b4c16b3557d66d055f701112809a1b5442da2a12d

    SHA512

    34fc25caae888c12c64a600478f5e3757ed37b316c08c4315626c8f17d84ab6aa66d3a66fe5eaeb132d99de1799c14f5b0e088a944c2c2f5b76b3f1c4eef43d2

  • memory/1772-63-0x0000000000000000-mapping.dmp
  • memory/1772-70-0x0000000000A50000-0x0000000000BB2000-memory.dmp
    Filesize

    1.4MB

  • memory/1924-60-0x0000000076691000-0x0000000076693000-memory.dmp
    Filesize

    8KB

  • memory/1924-61-0x0000000003270000-0x0000000003375000-memory.dmp
    Filesize

    1.0MB

  • memory/1924-62-0x0000000000400000-0x0000000001860000-memory.dmp
    Filesize

    20.4MB