danabot | 951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1

General

Target

951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe
Size

1.8MB
MD5

a950ef033197897455d5fb2bbedd6f0d
SHA1

7b5162ff77988cc82c316d8409dc8084f6713efb
SHA256

951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1
SHA512

199e60ae2a77b4dfdbba3dd45ad670442040812865ee8775fa0402a372bee25dbfc564056e7da9ddf4a8b78571a482b09fc20bb626f3de80cda2b42912a0ea68

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

142.11.244.223:443

23.106.122.139:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\951B94~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\951B94~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\951B94~1.DLL	DanabotLoader2021
behavioral1/memory/812-125-0x0000000004250000-0x00000000044CA000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1244 created 1852 1244 WerFault.exe 951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

812 rundll32.exe
812 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1244 1852 WerFault.exe 951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe

description	pid	process	target process
PID 1244 created 1852	1244	WerFault.exe	951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe

pid	process
812	rundll32.exe
812	rundll32.exe

pid	pid_target	process	target process
1244	1852	WerFault.exe	951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe
1244	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1244 WerFault.exe
Token: SeBackupPrivilege 1244 WerFault.exe
Token: SeDebugPrivilege 1244 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1244	WerFault.exe
Token: SeBackupPrivilege	1244	WerFault.exe
Token: SeDebugPrivilege	1244	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe

description	pid	process	target process
PID 1852 wrote to memory of 812	1852	951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe	rundll32.exe
PID 1852 wrote to memory of 812	1852	951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe	rundll32.exe
PID 1852 wrote to memory of 812	1852	951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe
"C:\Users\Admin\AppData\Local\Temp\951b94f3bb2bf01cf26d5b55dbc6a7a21864bc552c649a9750fc67076276e2b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\951B94~1.DLL,s C:\Users\Admin\AppData\Local\Temp\951B94~1.EXE
2⤵
- Loads dropped DLL
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 560
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\951B94~1.DLL
MD5
6a771db3dd8990ef3833551de28a6d7b

SHA1
5ac5f19c2b59539af0c46d57d05a8d6d34972fe1

SHA256
83caf30c1a592789678cf680d79d36c952b826ad202c963d4ddfcb9c7a555e4f

SHA512
f2c6de88b7b89b16f30d9997f436d4d4def78fa777e1fd53fcba3ee35efe97ed459611dbdaac4b933df856f1c6b3ebd196fd3c7d3ff6d067b62e93ba76bcc34f

Download Submit
\Users\Admin\AppData\Local\Temp\951B94~1.DLL
MD5
6a771db3dd8990ef3833551de28a6d7b

SHA1
5ac5f19c2b59539af0c46d57d05a8d6d34972fe1

SHA256
83caf30c1a592789678cf680d79d36c952b826ad202c963d4ddfcb9c7a555e4f

SHA512
f2c6de88b7b89b16f30d9997f436d4d4def78fa777e1fd53fcba3ee35efe97ed459611dbdaac4b933df856f1c6b3ebd196fd3c7d3ff6d067b62e93ba76bcc34f

Download Submit
\Users\Admin\AppData\Local\Temp\951B94~1.DLL
MD5
6a771db3dd8990ef3833551de28a6d7b

SHA1
5ac5f19c2b59539af0c46d57d05a8d6d34972fe1

SHA256
83caf30c1a592789678cf680d79d36c952b826ad202c963d4ddfcb9c7a555e4f

SHA512
f2c6de88b7b89b16f30d9997f436d4d4def78fa777e1fd53fcba3ee35efe97ed459611dbdaac4b933df856f1c6b3ebd196fd3c7d3ff6d067b62e93ba76bcc34f

Download Submit
memory/812-121-0x0000000000000000-mapping.dmp

Download
memory/812-125-0x0000000004250000-0x00000000044CA000-memory.dmp

Filesize
2.5MB

Download
memory/1852-118-0x0000000003C52000-0x0000000003DE1000-memory.dmp

Filesize
1.6MB

Download
memory/1852-120-0x0000000000400000-0x0000000001D7F000-memory.dmp

Filesize
25.5MB

Download
memory/1852-119-0x0000000003DF0000-0x0000000003F96000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads