danabot | 078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd

General

Target

078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe
Size

1.8MB
MD5

5b243ecba9cbc048448a89b3ed0edca6
SHA1

d9c9b9319eedfecaffc6ae1418a7f2bc4fd1a962
SHA256

078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd
SHA512

487c9a1e0dffe679434ff8066f9eba93021ca4c1e12056bf57731dc4b919ee28d79eb4101bf162ef933d5dff3346ba44effc188da60f6cdb028dcdbf9d405539

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\078144~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\078144~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\078144~1.DLL	DanabotLoader2021
behavioral1/memory/4364-122-0x0000000004190000-0x000000000440B000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2284 created 3500 2284 WerFault.exe 078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4364 rundll32.exe
4364 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2284 3500 WerFault.exe 078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe

description	pid	process	target process
PID 2284 created 3500	2284	WerFault.exe	078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe

pid	process
4364	rundll32.exe
4364	rundll32.exe

pid	pid_target	process	target process
2284	3500	WerFault.exe	078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2284 WerFault.exe
Token: SeBackupPrivilege 2284 WerFault.exe
Token: SeDebugPrivilege 2284 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2284	WerFault.exe
Token: SeBackupPrivilege	2284	WerFault.exe
Token: SeDebugPrivilege	2284	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe

description	pid	process	target process
PID 3500 wrote to memory of 4364	3500	078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe	rundll32.exe
PID 3500 wrote to memory of 4364	3500	078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe	rundll32.exe
PID 3500 wrote to memory of 4364	3500	078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe
"C:\Users\Admin\AppData\Local\Temp\078144b01b756e1e61d645c51125a0372e9877bbc514ad068bbc531accdb5bbd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\078144~1.DLL,s C:\Users\Admin\AppData\Local\Temp\078144~1.EXE
  2⤵
  - Loads dropped DLL
  PID:4364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 560
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\078144~1.DLL

MD5
d790942062e5dd71bc6cb0c403ff7a2c

SHA1
090b9709d01f87b6a59bb8ea3c2eb8f94c39d3cb

SHA256
3032d7d51e7dc0cf16b8a8b920508c0eeb6fd7465830331855422f1d5608243f

SHA512
ee9f305164c0fc659af11d29212212d8c7f97a5856328587378ff6d1f69e2bb810007cf29f13dd8cd87802f48b48d80f4a17bdbcfbee0c1b291d937fadbf0427

Download Submit
\Users\Admin\AppData\Local\Temp\078144~1.DLL

MD5
d790942062e5dd71bc6cb0c403ff7a2c

SHA1
090b9709d01f87b6a59bb8ea3c2eb8f94c39d3cb

SHA256
3032d7d51e7dc0cf16b8a8b920508c0eeb6fd7465830331855422f1d5608243f

SHA512
ee9f305164c0fc659af11d29212212d8c7f97a5856328587378ff6d1f69e2bb810007cf29f13dd8cd87802f48b48d80f4a17bdbcfbee0c1b291d937fadbf0427

Download Submit
\Users\Admin\AppData\Local\Temp\078144~1.DLL

MD5
d790942062e5dd71bc6cb0c403ff7a2c

SHA1
090b9709d01f87b6a59bb8ea3c2eb8f94c39d3cb

SHA256
3032d7d51e7dc0cf16b8a8b920508c0eeb6fd7465830331855422f1d5608243f

SHA512
ee9f305164c0fc659af11d29212212d8c7f97a5856328587378ff6d1f69e2bb810007cf29f13dd8cd87802f48b48d80f4a17bdbcfbee0c1b291d937fadbf0427

Download Submit
memory/3500-115-0x0000000000936000-0x0000000000AC4000-memory.dmp

Filesize
1.6MB

Download
memory/3500-116-0x0000000000AD0000-0x0000000000C75000-memory.dmp

Filesize
1.6MB

Download
memory/3500-117-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/4364-118-0x0000000000000000-mapping.dmp

Download
memory/4364-122-0x0000000004190000-0x000000000440B000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads