Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    18-11-2021 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe

  • Size

    1.8MB

  • MD5

    ab31c2d598849285e601ef678552ee29

  • SHA1

    e732ba422aa5a6c6abc13685e7cda9ac7d43b1a5

  • SHA256

    fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4

  • SHA512

    a3069dc5aff9e084a4a1c3e088837d3c46ca6c812ed1c2ed85cb3aac5e6785d57a5444dec71ba8a98084015a30faf9abf7b2e43ea97cf5a00ef96b0c00241eb2

Score
10/10
danabotbankertrojan

Malware Config

Extracted

Family

danabot

C2

192.119.110.73:443

192.236.192.201:443
Attributes
  • embedded_hash

    0FA95F120D6EB149A5D48E36BC76879D

  • type

    loader

rsa_pubkey.plain
rsa_privkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe
    "C:\Users\Admin\AppData\Local\Temp\fc3bbac32a466177b1575504b966baf11e8b7c3aafc4f755818591fb35aaf5d4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FC3BBA~1.DLL,s C:\Users\Admin\AppData\Local\Temp\FC3BBA~1.EXE
      2⤵
      • Loads dropped DLL
      PID:856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 548
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4200-118-0x0000000002FAF000-0x000000000313F000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4200-119-0x0000000003140000-0x00000000032E7000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4200-120-0x0000000000400000-0x0000000001207000-memory.dmp

    Filesize

    14.0MB

    Download