danabot | c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813

General

Target

c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe
Size

1.0MB
MD5

213c0f7fb89f43365b974b25dd5fdedd
SHA1

69e2111d470af96c7ce42c55d3b503fffc8241df
SHA256

c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813
SHA512

c8671d77804a70793b1d3b1a96cebd5cb9729626a7d1caeaa4e7ef19cc140b7fe1da1672d78a3d965e5e4b655d3f1f5f7712bf69eff71237187021dcef70e95d

Score

10^/10

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C760FB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\C760FB~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\C760FB~1.DLL	DanabotLoader2021
behavioral1/memory/2468-121-0x0000000004190000-0x00000000042F3000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 2468 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2468 rundll32.exe
2468 rundll32.exe

flow	pid	process
7	2468	rundll32.exe

pid	process
2468	rundll32.exe
2468	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe

description	pid	process	target process
PID 2208 wrote to memory of 2468	2208	c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe	rundll32.exe
PID 2208 wrote to memory of 2468	2208	c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe	rundll32.exe
PID 2208 wrote to memory of 2468	2208	c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe
"C:\Users\Admin\AppData\Local\Temp\c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\C760FB~1.DLL
MD5
3ba252dc610351e13b1f6e947ccde14d

SHA1
c095cc9aaaff31dbe20470b99f6203b0a7ee030f

SHA256
c894a5bdd1684a89c3576dff3476ec3b64e473faba387620356c422a5069bb77

SHA512
c1bc81fe90301028ec10964d9d0ee6dc3398e9c3e064d0e4dad3255934bb2d614cec696a4d53a6b10c1a4f573bbb7c16c95086d510727271ebc8692c12a1961d

Download Submit
\Users\Admin\AppData\Local\Temp\C760FB~1.DLL
MD5
3ba252dc610351e13b1f6e947ccde14d

SHA1
c095cc9aaaff31dbe20470b99f6203b0a7ee030f

SHA256
c894a5bdd1684a89c3576dff3476ec3b64e473faba387620356c422a5069bb77

SHA512
c1bc81fe90301028ec10964d9d0ee6dc3398e9c3e064d0e4dad3255934bb2d614cec696a4d53a6b10c1a4f573bbb7c16c95086d510727271ebc8692c12a1961d

Download Submit
\Users\Admin\AppData\Local\Temp\C760FB~1.DLL
MD5
3ba252dc610351e13b1f6e947ccde14d

SHA1
c095cc9aaaff31dbe20470b99f6203b0a7ee030f

SHA256
c894a5bdd1684a89c3576dff3476ec3b64e473faba387620356c422a5069bb77

SHA512
c1bc81fe90301028ec10964d9d0ee6dc3398e9c3e064d0e4dad3255934bb2d614cec696a4d53a6b10c1a4f573bbb7c16c95086d510727271ebc8692c12a1961d

Download Submit
memory/2208-116-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2208-115-0x0000000002540000-0x0000000002646000-memory.dmp

Filesize
1.0MB

Download
memory/2468-117-0x0000000000000000-mapping.dmp

Download
memory/2468-121-0x0000000004190000-0x00000000042F3000-memory.dmp

Filesize
1.4MB

Download