89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd

General
Target

89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd.dll

Filesize

1MB

Completed

25-11-2021 16:46

Score
10/10
MD5

6d9f899e26ce787bfa696e85583d49e1

SHA1

183496c077b1efdff28a1db820d461b5a4462c3c

SHA256

89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd

Malware Config

Extracted

Family danabot
C2

185.117.90.36:443

193.42.36.59:443

193.56.146.53:443

185.106.123.228:443

Attributes
embedded_hash
07284E2A3AB3C2E1FFFBD425849BE150
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures 4

Filter: none

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot Loader Component

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/4092-120-0x0000000000400000-0x0000000000560000-memory.dmpDanabotLoader2021
    behavioral1/memory/4092-121-0x0000000000400000-0x00000000005F4000-memory.dmpDanabotLoader2021
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    244092rundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4296 wrote to memory of 40924296rundll32.exerundll32.exe
    PID 4296 wrote to memory of 40924296rundll32.exerundll32.exe
    PID 4296 wrote to memory of 40924296rundll32.exerundll32.exe
Processes 2
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd.dll,#1
    Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd.dll,#1
      Blocklisted process makes network request
      PID:4092
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/4092-118-0x0000000000000000-mapping.dmp

                          • memory/4092-119-0x0000000000400000-0x00000000005F4000-memory.dmp

                          • memory/4092-120-0x0000000000400000-0x0000000000560000-memory.dmp

                          • memory/4092-121-0x0000000000400000-0x00000000005F4000-memory.dmp

                          • memory/4092-123-0x0000000000E80000-0x0000000000E81000-memory.dmp