a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c

max time kernel150s
max time network114s
platformwindows10_x64
resourcewin10v20210408
submitted04-10-2021 09:00

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c.exe

Filesize

1MB

Completed

04-10-2021 09:02

Score

10^/10

MD5

03e5fdc1250c5ee84ae9b36f3c3c71ad

SHA1

ec9b8f0e31741137501bd7a87fed2fc57c2d807e

SHA256

a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c

Extracted

Family	danabot
C2	142.11.192.232:443 192.119.110.73:443 142.11.242.31:443 192.210.222.88:443 142.11.192.232:443 192.119.110.73:443 142.11.242.31:443 192.210.222.88:443
Attributes	embedded_hash F4711E27D559B4AEB1A081A1EB0AC465 type loader
rsa_pubkey.plain
rsa_privkey.plain

Danabot

Description

Danabot is a modular banking Trojan that has been linked with other malware.

Tags

trojan banker danabot
Blocklisted process makes network request
rundll32.exe

Reported IOCs

flow pid process

11 904 rundll32.exe
Loads dropped DLL
rundll32.exe

Reported IOCs

pid process

904 rundll32.exe
904 rundll32.exe

flow	pid	process
11	904	rundll32.exe

pid	process
904	rundll32.exe
904	rundll32.exe

Suspicious use of WriteProcessMemory

a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c.exe

Reported IOCs

description	pid	process	target process
PID 804 wrote to memory of 904	804	a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c.exe	rundll32.exe
PID 804 wrote to memory of 904	804	a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c.exe	rundll32.exe
PID 804 wrote to memory of 904	804	a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c.exe

"C:\Users\Admin\AppData\Local\Temp\a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c.exe"

Suspicious use of WriteProcessMemory

PID:804

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A3D561~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A3D561~1.EXE

Blocklisted process makes network request
Loads dropped DLL

PID:904

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\A3D561~1.DLL
MD5
6d7a446be4d1fb9573a8fa0dae1781ac

SHA1
36c505f7839aabd71ca79f3799171cf7e5cc907d

SHA256
6192de430cb9638595f30272769f11a3cd199b611f19a6bdee65458736fc6bb4

SHA512
27bccb8b53a70ee9660a7caf2ab250a9146ddc3674dc74fb86810497a5bb086f56a74b9d2446150444f70b233d0183e32083a53034774502539b6f39e0550b3b

Download Submit
\Users\Admin\AppData\Local\Temp\A3D561~1.DLL
MD5
6d7a446be4d1fb9573a8fa0dae1781ac

SHA1
36c505f7839aabd71ca79f3799171cf7e5cc907d

SHA256
6192de430cb9638595f30272769f11a3cd199b611f19a6bdee65458736fc6bb4

SHA512
27bccb8b53a70ee9660a7caf2ab250a9146ddc3674dc74fb86810497a5bb086f56a74b9d2446150444f70b233d0183e32083a53034774502539b6f39e0550b3b

Download Submit
\Users\Admin\AppData\Local\Temp\A3D561~1.DLL
MD5
6d7a446be4d1fb9573a8fa0dae1781ac

SHA1
36c505f7839aabd71ca79f3799171cf7e5cc907d

SHA256
6192de430cb9638595f30272769f11a3cd199b611f19a6bdee65458736fc6bb4

SHA512
27bccb8b53a70ee9660a7caf2ab250a9146ddc3674dc74fb86810497a5bb086f56a74b9d2446150444f70b233d0183e32083a53034774502539b6f39e0550b3b

Download Submit
memory/804-114-0x0000000000980000-0x0000000000A88000-memory.dmp

Download
memory/804-116-0x0000000000400000-0x0000000000536000-memory.dmp

Download
memory/904-115-0x0000000000000000-mapping.dmp

Download
memory/904-120-0x0000000000CD0000-0x0000000000E33000-memory.dmp

Download

a3d561d70f54d321cfa0cff6eaa7755dfc632a89d9428a77dec6bca602c41e3c

Extracted

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Title