danabot | 6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f

Analysis

Target

6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f.exe
Size

1.8MB
MD5

9581638dd10b0f6cfe0e38d880628564
SHA1

1feab5fea4e9506d3e41a99b532c469b93a78a9c
SHA256

6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f
SHA512

28f4a92f81d23eef6ca30cddc793ae4cab20535300690839e0cb1d259a0c4fb8bd396c00bdc5639d8012d15d2eb8defc66c1304c8284a615490259f4a3d7e1c7

Score

10^/10

Family

danabot

Botnet

142.11.244.223:443

192.236.194.72:443

Attributes

rsa_pubkey.plain

rsa_privkey.plain

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6C6556~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\6C6556~1.DLL	DanabotLoader2021

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2260 rundll32.exe

pid	process
2260	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f.exe

description	pid	process	target process
PID 600 wrote to memory of 2260	600	6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f.exe	rundll32.exe
PID 600 wrote to memory of 2260	600	6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f.exe	rundll32.exe
PID 600 wrote to memory of 2260	600	6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f.exe
"C:\Users\Admin\AppData\Local\Temp\6c6556b6e30b5395351243994b576e9d16d7394d67f36b336e04cf057375a62f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6C6556~1.DLL,s C:\Users\Admin\AppData\Local\Temp\6C6556~1.EXE
2⤵
- Loads dropped DLL
PID:2260

C:\Users\Admin\AppData\Local\Temp\6C6556~1.DLL
MD5
db74d5bc0981960940b43b2c3f94ff61

SHA1
d71ded369ce768a28d1d0b2f5c501cb5aa30a380

SHA256
2ca6d0bc3619d54abb8ab2f08288a3dca5d0280ceefbd0e89feb4d315d73953e

SHA512
56afc0ebaf2aa8123abbcd03a1a9db79c48b87aee12227dfcf99755ed29978601c2038ebfbc2b497fd6d850465038855ca89b2fa57674832a0fa916f254e65a5

Download Submit
\Users\Admin\AppData\Local\Temp\6C6556~1.DLL
MD5
db74d5bc0981960940b43b2c3f94ff61

SHA1
d71ded369ce768a28d1d0b2f5c501cb5aa30a380

SHA256
2ca6d0bc3619d54abb8ab2f08288a3dca5d0280ceefbd0e89feb4d315d73953e

SHA512
56afc0ebaf2aa8123abbcd03a1a9db79c48b87aee12227dfcf99755ed29978601c2038ebfbc2b497fd6d850465038855ca89b2fa57674832a0fa916f254e65a5

Download Submit
memory/600-115-0x0000000001060000-0x00000000011F0000-memory.dmp

Filesize
1.6MB

Download
memory/600-116-0x00000000011F0000-0x0000000001396000-memory.dmp

Filesize
1.6MB

Download
memory/600-117-0x0000000000400000-0x00000000009C4000-memory.dmp

Filesize
5.8MB

Download
memory/2260-118-0x0000000000000000-mapping.dmp

Download