danabot | c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5

General

Target

c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe
Size

1.8MB
MD5

a87010eb1a21c769671bdd342b6f5bf2
SHA1

f4551c705f955acbe08f03fdfd0b11c418749102
SHA256

c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5
SHA512

92abc67c2acd8889a00c226c9cee9c97b047b86fd894126df67fbfd98a292ea562d0863cebc6eaa6a26006a4121023c24f5ca2a237d013fd9fdc7291e7dfea35

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2928 created 3804 2928 WerFault.exe c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3004 rundll32.exe
3004 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2928 3804 WerFault.exe c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe

description	pid	process	target process
PID 2928 created 3804	2928	WerFault.exe	c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe

pid	process
3004	rundll32.exe
3004	rundll32.exe

pid	pid_target	process	target process
2928	3804	WerFault.exe	c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2928 WerFault.exe
Token: SeBackupPrivilege 2928 WerFault.exe
Token: SeDebugPrivilege 2928 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2928	WerFault.exe
Token: SeBackupPrivilege	2928	WerFault.exe
Token: SeDebugPrivilege	2928	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe

description	pid	process	target process
PID 3804 wrote to memory of 3004	3804	c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe	rundll32.exe
PID 3804 wrote to memory of 3004	3804	c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe	rundll32.exe
PID 3804 wrote to memory of 3004	3804	c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe
"C:\Users\Admin\AppData\Local\Temp\c71d528373aadc3115439a24f0b87acecedaef6fe20a99042ff1f93c2ba04ae5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C71D52~1.DLL,s C:\Users\Admin\AppData\Local\Temp\C71D52~1.EXE
  2⤵
  - Loads dropped DLL
  PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 556
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C71D52~1.DLL

MD5
22a143f42dbdc8c77fe3a23e43616f69

SHA1
86f8ec1e6381e473808337c7d348e56137f7ba7c

SHA256
4f23e33fe905f7575e9e462863077faa11ffdd672807d42a22863709bb9a6fbb

SHA512
6fec9b1cfcddfae20f68d4fe2ca4e48d81ae3a7e155630afd7c96b93323d7c263202d3f018428a38fb2dd153f7c5b7755f09c11f97ebd937cf0d43eaccfeffaf

Download Submit
\Users\Admin\AppData\Local\Temp\C71D52~1.DLL

MD5
22a143f42dbdc8c77fe3a23e43616f69

SHA1
86f8ec1e6381e473808337c7d348e56137f7ba7c

SHA256
4f23e33fe905f7575e9e462863077faa11ffdd672807d42a22863709bb9a6fbb

SHA512
6fec9b1cfcddfae20f68d4fe2ca4e48d81ae3a7e155630afd7c96b93323d7c263202d3f018428a38fb2dd153f7c5b7755f09c11f97ebd937cf0d43eaccfeffaf

Download Submit
\Users\Admin\AppData\Local\Temp\C71D52~1.DLL

MD5
22a143f42dbdc8c77fe3a23e43616f69

SHA1
86f8ec1e6381e473808337c7d348e56137f7ba7c

SHA256
4f23e33fe905f7575e9e462863077faa11ffdd672807d42a22863709bb9a6fbb

SHA512
6fec9b1cfcddfae20f68d4fe2ca4e48d81ae3a7e155630afd7c96b93323d7c263202d3f018428a38fb2dd153f7c5b7755f09c11f97ebd937cf0d43eaccfeffaf

Download Submit
memory/3004-118-0x0000000000000000-mapping.dmp

Download
memory/3004-122-0x00000000045B0000-0x000000000482E000-memory.dmp

Filesize
2.5MB

Download
memory/3804-115-0x0000000000A12000-0x0000000000BA3000-memory.dmp

Filesize
1.6MB

Download
memory/3804-117-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/3804-116-0x0000000000BB0000-0x0000000000D57000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing