d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e

General
Target

d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe

Filesize

1MB

Completed

21-10-2021 19:43

Score
10/10
MD5

8221e011ca9356d2f6f7126eb13553d1

SHA1

73c2e0986be301d0552b8f6662bd786a85cea382

SHA256

d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e

Malware Config

Extracted

Family danabot
C2

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures 6

Filter: none

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000500000001ab8e-119.datDanabotLoader2021
    behavioral1/files/0x000500000001ab8e-121.datDanabotLoader2021
    behavioral1/files/0x000500000001ab8e-120.datDanabotLoader2021
    behavioral1/memory/1676-122-0x0000000004280000-0x00000000043E0000-memory.dmpDanabotLoader2021
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    321676rundll32.exe
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    1676rundll32.exe
    1676rundll32.exe
  • Drops file in Program Files directory
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\PROGRA~3\zohplghndapsm.tmprundll32.exe
  • Suspicious use of WriteProcessMemory
    d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1976 wrote to memory of 16761976d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exerundll32.exe
    PID 1976 wrote to memory of 16761976d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exerundll32.exe
    PID 1976 wrote to memory of 16761976d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exerundll32.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe
    "C:\Users\Admin\AppData\Local\Temp\d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe"
    Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\D07672~1.DLL,s C:\Users\Admin\AppData\Local\Temp\D07672~1.EXE
      Blocklisted process makes network request
      Loads dropped DLL
      Drops file in Program Files directory
      PID:1676
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Users\Admin\AppData\Local\Temp\D07672~1.DLL

                            MD5

                            dbc387e8a1b2f9803590766272260da2

                            SHA1

                            d7ab66e5b70a896582bc12d9d7f8e3aaa3c1193f

                            SHA256

                            00039f510d60b41b71e22ac2f54185705660eba10253b0767cdb019b04185eeb

                            SHA512

                            28cf0da46adda4546a62c23a7f26679145d1eb77f8974f83d4d3644d066f2f9d8d132017d1a4bfeb196a9fe6c2f568890f87262f3f18a128a188cfd0ce312646

                          • \Users\Admin\AppData\Local\Temp\D07672~1.DLL

                            MD5

                            dbc387e8a1b2f9803590766272260da2

                            SHA1

                            d7ab66e5b70a896582bc12d9d7f8e3aaa3c1193f

                            SHA256

                            00039f510d60b41b71e22ac2f54185705660eba10253b0767cdb019b04185eeb

                            SHA512

                            28cf0da46adda4546a62c23a7f26679145d1eb77f8974f83d4d3644d066f2f9d8d132017d1a4bfeb196a9fe6c2f568890f87262f3f18a128a188cfd0ce312646

                          • \Users\Admin\AppData\Local\Temp\D07672~1.DLL

                            MD5

                            dbc387e8a1b2f9803590766272260da2

                            SHA1

                            d7ab66e5b70a896582bc12d9d7f8e3aaa3c1193f

                            SHA256

                            00039f510d60b41b71e22ac2f54185705660eba10253b0767cdb019b04185eeb

                            SHA512

                            28cf0da46adda4546a62c23a7f26679145d1eb77f8974f83d4d3644d066f2f9d8d132017d1a4bfeb196a9fe6c2f568890f87262f3f18a128a188cfd0ce312646

                          • memory/1676-122-0x0000000004280000-0x00000000043E0000-memory.dmp

                          • memory/1676-118-0x0000000000000000-mapping.dmp

                          • memory/1976-117-0x0000000000400000-0x0000000002FE6000-memory.dmp

                          • memory/1976-116-0x0000000004FB0000-0x00000000050B5000-memory.dmp

                          • memory/1976-115-0x0000000004EC0000-0x0000000004FAE000-memory.dmp