danabot | 48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104

General

Target

48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe
Size

1.0MB
MD5

ade05fb522e755083b91765182a61b3b
SHA1

590c4e1c7da966ed3d5e47b373a0b7906926eb64
SHA256

48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104
SHA512

e6ba593bc31fb568bb8f9f6486ca6f2682dd77f689e9d9c9c9d6dc6d387a265cfe3fd1fc91a6c427e52a89d2c4a9f3fa60c40c023fa47c02c93f46f8b44f5755

Score

10^/10

Family

danabot

C2

23.254.144.209:443

192.236.194.86:443

142.11.192.232:443

Attributes

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\48A21E~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\48A21E~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\48A21E~1.DLL	DanabotLoader2021
behavioral1/memory/1896-120-0x0000000004710000-0x0000000004873000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 1896 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1896 rundll32.exe
1896 rundll32.exe

flow	pid	process
7	1896	rundll32.exe

pid	process
1896	rundll32.exe
1896	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe

description	pid	process	target process
PID 1832 wrote to memory of 1896	1832	48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe	rundll32.exe
PID 1832 wrote to memory of 1896	1832	48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe	rundll32.exe
PID 1832 wrote to memory of 1896	1832	48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe
"C:\Users\Admin\AppData\Local\Temp\48a21edaff352d53605463841f739415187971b3dd2bf0feed7f5c922b949104.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\48A21E~1.DLL
MD5
2286c9351b1946fe7ec4e567045a332c

SHA1
f603c7f6cf3fc134732f6371707ce98c21ae307b

SHA256
f14b7722c44f6313086036dbca6b83b42ef0e082c61c3a97b674831fdfa6b56c

SHA512
80ea88e52d4ec3c74a53ef711e0e67203a7e80973bca1b042abc7d83a23c51d090360ae88ddcef7a4597b1aa7f6b5ad487e03b4be5a8fd12fb699ac54928fc12

Download Submit
\Users\Admin\AppData\Local\Temp\48A21E~1.DLL
MD5
2286c9351b1946fe7ec4e567045a332c

SHA1
f603c7f6cf3fc134732f6371707ce98c21ae307b

SHA256
f14b7722c44f6313086036dbca6b83b42ef0e082c61c3a97b674831fdfa6b56c

SHA512
80ea88e52d4ec3c74a53ef711e0e67203a7e80973bca1b042abc7d83a23c51d090360ae88ddcef7a4597b1aa7f6b5ad487e03b4be5a8fd12fb699ac54928fc12

Download Submit
\Users\Admin\AppData\Local\Temp\48A21E~1.DLL
MD5
2286c9351b1946fe7ec4e567045a332c

SHA1
f603c7f6cf3fc134732f6371707ce98c21ae307b

SHA256
f14b7722c44f6313086036dbca6b83b42ef0e082c61c3a97b674831fdfa6b56c

SHA512
80ea88e52d4ec3c74a53ef711e0e67203a7e80973bca1b042abc7d83a23c51d090360ae88ddcef7a4597b1aa7f6b5ad487e03b4be5a8fd12fb699ac54928fc12

Download Submit
memory/1832-115-0x0000000002540000-0x0000000002646000-memory.dmp

Filesize
1.0MB

Download
memory/1832-121-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1896-116-0x0000000000000000-mapping.dmp

Download
memory/1896-120-0x0000000004710000-0x0000000004873000-memory.dmp

Filesize
1.4MB

Download