danabot | 1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb

General

Target

1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb.exe
Size

1.7MB
MD5

20452164317009d2812bd3c2b6dd3792
SHA1

228ca1c489d432b875d4a1a19f0aaed26c249ba0
SHA256

1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb
SHA512

c8c2340735a3a49d48090bcac43682b82cd67fc24b4d5f4615a9e40d33cbe9d46f43c28102a8abbaf2270e7f238f31b8cdd637c69cd0ebe318fe001302042676

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

192.119.110.73:443

192.236.192.201:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1E0E44~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\1E0E44~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\1E0E44~1.DLL	DanabotLoader2021
behavioral1/memory/916-125-0x0000000003F30000-0x00000000041AD000-memory.dmp	DanabotLoader2021

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

916 rundll32.exe
916 rundll32.exe

pid	process
916	rundll32.exe
916	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb.exe

description	pid	process	target process
PID 4484 wrote to memory of 916	4484	1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb.exe	rundll32.exe
PID 4484 wrote to memory of 916	4484	1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb.exe	rundll32.exe
PID 4484 wrote to memory of 916	4484	1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb.exe
"C:\Users\Admin\AppData\Local\Temp\1e0e448f97ce5a43facdae2ffec3d6a47fccea0810813045dfe633b0f88a8adb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1E0E44~1.DLL,s C:\Users\Admin\AppData\Local\Temp\1E0E44~1.EXE
  2⤵
  - Loads dropped DLL
  PID:916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1E0E44~1.DLL

MD5
34ee565aaf28e2e6020cc481f3c40524

SHA1
5768f9a755bc0efebca294af5c6f69ebd03163a7

SHA256
4c3e7a35e9ab3f6950355f0137eea26f2b100922f713d1779c98ba21d3ce5e6d

SHA512
9391edeae403fc9c922f770eca9b72ef00e71eb0db201556e2ea4fae67026c2854d258b9b26043ecf956872047a3362bec6784ff7a428a8cfc7ecc42a6db8962

Download Submit
\Users\Admin\AppData\Local\Temp\1E0E44~1.DLL

MD5
34ee565aaf28e2e6020cc481f3c40524

SHA1
5768f9a755bc0efebca294af5c6f69ebd03163a7

SHA256
4c3e7a35e9ab3f6950355f0137eea26f2b100922f713d1779c98ba21d3ce5e6d

SHA512
9391edeae403fc9c922f770eca9b72ef00e71eb0db201556e2ea4fae67026c2854d258b9b26043ecf956872047a3362bec6784ff7a428a8cfc7ecc42a6db8962

Download Submit
\Users\Admin\AppData\Local\Temp\1E0E44~1.DLL

MD5
34ee565aaf28e2e6020cc481f3c40524

SHA1
5768f9a755bc0efebca294af5c6f69ebd03163a7

SHA256
4c3e7a35e9ab3f6950355f0137eea26f2b100922f713d1779c98ba21d3ce5e6d

SHA512
9391edeae403fc9c922f770eca9b72ef00e71eb0db201556e2ea4fae67026c2854d258b9b26043ecf956872047a3362bec6784ff7a428a8cfc7ecc42a6db8962

Download Submit
memory/916-121-0x0000000000000000-mapping.dmp

Download
memory/916-125-0x0000000003F30000-0x00000000041AD000-memory.dmp

Filesize
2.5MB

Download
memory/4484-119-0x0000000002810000-0x00000000029B7000-memory.dmp

Filesize
1.7MB

Download
memory/4484-118-0x0000000002680000-0x0000000002810000-memory.dmp

Filesize
1.6MB

Download
memory/4484-120-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing