Analysis
-
max time kernel
85s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
25-11-2021 16:43
General
-
Target
89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd.dll
-
Size
1.9MB
-
MD5
6d9f899e26ce787bfa696e85583d49e1
-
SHA1
183496c077b1efdff28a1db820d461b5a4462c3c
-
SHA256
89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd
-
SHA512
dd7a7d45ee666f8fa7354e6633dc3ba209aec046dbc95991256c4ea832db1b75c2a8644b1f6538d3444a7b8a10103e551bc962721f590cb2e821374bd095ca6b
Score
10/10
Malware Config
Extracted
Family
danabot
C2
185.117.90.36:443
193.42.36.59:443
193.56.146.53:443
185.106.123.228:443
Attributes
-
embedded_hash
07284E2A3AB3C2E1FFFBD425849BE150
-
type
loader
rsa_pubkey.plain
rsa_privkey.plain
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot Loader Component 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89a79bf235fd3a402b5cdc29e58ce1a0e56ddf23f2cb2604b44ab1570e608fdd.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4092-118-0x0000000000000000-mapping.dmp
-
memory/4092-119-0x0000000000400000-0x00000000005F4000-memory.dmpFilesize
2.0MB
-
memory/4092-120-0x0000000000400000-0x0000000000560000-memory.dmpFilesize
1.4MB
-
memory/4092-121-0x0000000000400000-0x00000000005F4000-memory.dmpFilesize
2.0MB
-
memory/4092-123-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB