danabot | fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4

General

Target

fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe
Size

1.8MB
MD5

ab31c2d598849285e601ef678552ee29
SHA1

e732ba422aa5a6c6abc13685e7cda9ac7d43b1a5
SHA256

fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4
SHA512

a3069dc5aff9e084a4a1c3e088837d3c46ca6c812ed1c2ed85cb3aac5e6785d57a5444dec71ba8a98084015a30faf9abf7b2e43ea97cf5a00ef96b0c00241eb2

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

192.119.110.73:443

192.236.192.201:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FC3BBA~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\FC3BBA~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4180 created 4200 4180 WerFault.exe fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

856 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4180 4200 WerFault.exe fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe

description	pid	process	target process
PID 4180 created 4200	4180	WerFault.exe	fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe

pid	process
856	rundll32.exe

pid	pid_target	process	target process
4180	4200	WerFault.exe	fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe
4180	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4180 WerFault.exe
Token: SeBackupPrivilege 4180 WerFault.exe
Token: SeDebugPrivilege 4180 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4180	WerFault.exe
Token: SeBackupPrivilege	4180	WerFault.exe
Token: SeDebugPrivilege	4180	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe

description	pid	process	target process
PID 4200 wrote to memory of 856	4200	fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe	rundll32.exe
PID 4200 wrote to memory of 856	4200	fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe	rundll32.exe
PID 4200 wrote to memory of 856	4200	fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe
"C:\Users\Admin\AppData\Local\Temp\fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FC3BBA~1.DLL,s C:\Users\Admin\AppData\Local\Temp\FC3BBA~1.EXE
2⤵
- Loads dropped DLL
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 548
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FC3BBA~1.DLL
MD5
1d61e6d66a932bd69d83ecbcf1a85ebc

SHA1
efae22fde3ff79cf705152b9c9a210c75caa458d

SHA256
eb4d78d71127ab905d68fd8c84d650737d4f393be69da2f174475f853d5eb41f

SHA512
065d0bc652c4f2a70d5dda4aedddce860ff15e8900cf0edc3f13ccdb947b3eaa3ada4e4845282d2a364bd80e9659db95e0c5f2bc1dfc44a1f6e9c448740a1c46

Download Submit
\Users\Admin\AppData\Local\Temp\FC3BBA~1.DLL
MD5
1d61e6d66a932bd69d83ecbcf1a85ebc

SHA1
efae22fde3ff79cf705152b9c9a210c75caa458d

SHA256
eb4d78d71127ab905d68fd8c84d650737d4f393be69da2f174475f853d5eb41f

SHA512
065d0bc652c4f2a70d5dda4aedddce860ff15e8900cf0edc3f13ccdb947b3eaa3ada4e4845282d2a364bd80e9659db95e0c5f2bc1dfc44a1f6e9c448740a1c46

Download Submit
memory/856-121-0x0000000000000000-mapping.dmp

Download
memory/4200-118-0x0000000002FAF000-0x000000000313F000-memory.dmp

Filesize
1.6MB

Download
memory/4200-119-0x0000000003140000-0x00000000032E7000-memory.dmp

Filesize
1.7MB

Download
memory/4200-120-0x0000000000400000-0x0000000001207000-memory.dmp

Filesize
14.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads