danabot | f6f17df29850bf734970fd18cc9c8fbf1e7cc901c2f0a823b1743c5866394254

General

Target

194da08d62700deae3dfbc9ecbf0fb03.exe
Size

1.2MB
MD5

194da08d62700deae3dfbc9ecbf0fb03
SHA1

e7385bf842b7a8e72227fa9b98454ea4841d980a
SHA256

f6f17df29850bf734970fd18cc9c8fbf1e7cc901c2f0a823b1743c5866394254
SHA512

e56c674f9116e8c5cf1eb4cac434b7347eaaeb4392b5af229dee6f9bcd3f07b530c78223c020f62ce3df6ae4f02ed3051cdea6b3b44d15dc7b40d60c8128e211

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\194DA0~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\194DA0~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\194DA0~1.DLL	DanabotLoader2021
behavioral2/memory/4884-121-0x0000000000D60000-0x0000000000EC2000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

13 4884 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4884 rundll32.exe
4884 rundll32.exe

flow	pid	process
13	4884	rundll32.exe

pid	process
4884	rundll32.exe
4884	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

194da08d62700deae3dfbc9ecbf0fb03.exe

description	pid	process	target process
PID 4564 wrote to memory of 4884	4564	194da08d62700deae3dfbc9ecbf0fb03.exe	rundll32.exe
PID 4564 wrote to memory of 4884	4564	194da08d62700deae3dfbc9ecbf0fb03.exe	rundll32.exe
PID 4564 wrote to memory of 4884	4564	194da08d62700deae3dfbc9ecbf0fb03.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\194da08d62700deae3dfbc9ecbf0fb03.exe
"C:\Users\Admin\AppData\Local\Temp\194da08d62700deae3dfbc9ecbf0fb03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\194DA0~1.DLL,s C:\Users\Admin\AppData\Local\Temp\194DA0~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\194DA0~1.DLL
MD5
9b599a6da5eb6331111c4c9acdbe7628

SHA1
c54f621ca83940e2bf7c10ea175bacfd82a43669

SHA256
ca1713b114f47b49cdba0b320e66f96f9fa4f5d08210454cfe25c6935fc15393

SHA512
b7261b2618e3412fbde232a221ff2470226249241b0b15de0a62a3399ecf92aa4cbae5ce42c45d9471f10b92673868a5d27e5fd58fca06f35dab9f68232ca8e2

Download Submit
\Users\Admin\AppData\Local\Temp\194DA0~1.DLL
MD5
9b599a6da5eb6331111c4c9acdbe7628

SHA1
c54f621ca83940e2bf7c10ea175bacfd82a43669

SHA256
ca1713b114f47b49cdba0b320e66f96f9fa4f5d08210454cfe25c6935fc15393

SHA512
b7261b2618e3412fbde232a221ff2470226249241b0b15de0a62a3399ecf92aa4cbae5ce42c45d9471f10b92673868a5d27e5fd58fca06f35dab9f68232ca8e2

Download Submit
\Users\Admin\AppData\Local\Temp\194DA0~1.DLL
MD5
9b599a6da5eb6331111c4c9acdbe7628

SHA1
c54f621ca83940e2bf7c10ea175bacfd82a43669

SHA256
ca1713b114f47b49cdba0b320e66f96f9fa4f5d08210454cfe25c6935fc15393

SHA512
b7261b2618e3412fbde232a221ff2470226249241b0b15de0a62a3399ecf92aa4cbae5ce42c45d9471f10b92673868a5d27e5fd58fca06f35dab9f68232ca8e2

Download Submit
memory/4564-115-0x0000000003770000-0x0000000003875000-memory.dmp

Filesize
1.0MB

Download
memory/4564-116-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/4884-117-0x0000000000000000-mapping.dmp

Download
memory/4884-121-0x0000000000D60000-0x0000000000EC2000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing