danabot | ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072

General

Target

ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072.exe
Size

1.8MB
MD5

2d63e541006fc9cd636d8446dc99c361
SHA1

bbb2d7768ef04e5f62624face4ec5c842cd67e1c
SHA256

ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072
SHA512

77fb378c7df9a5ec44dd7468cc7a28829cc726028ce3a714981ef620ee6a9e8ee4abb1cc859c4b61c4c90afa3a1dbb65bfe0542c12b014eabd516e0efa6aa59e

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CA09E7~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\CA09E7~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\CA09E7~1.DLL	DanabotLoader2021
behavioral1/memory/4032-121-0x0000000004150000-0x00000000043CC000-memory.dmp	DanabotLoader2021

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4032 rundll32.exe
4032 rundll32.exe

pid	process
4032	rundll32.exe
4032	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072.exe

description	pid	process	target process
PID 3348 wrote to memory of 4032	3348	ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072.exe	rundll32.exe
PID 3348 wrote to memory of 4032	3348	ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072.exe	rundll32.exe
PID 3348 wrote to memory of 4032	3348	ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072.exe
"C:\Users\Admin\AppData\Local\Temp\ca09e741a3f9553404a74ef1bdd03b2419a423d48986127851a990e4d474d072.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CA09E7~1.DLL,s C:\Users\Admin\AppData\Local\Temp\CA09E7~1.EXE
2⤵
- Loads dropped DLL
PID:4032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CA09E7~1.DLL
MD5
0c94c0b1789269a7e8b12e9353f7f56b

SHA1
1cf7f75a1ddf085b0d33335329ec21a901bfe7e2

SHA256
cdce43f21a643c35c61f3fe760ab8f6aec28744f11a8bd3cb36b43cad1244b04

SHA512
c99aa83794cdd101bc6ad453c3294673f6e658b8a5876994218edd226680b9e21db3d5872c5abff65293d840c7befd0cd03b742398a11093fad9e5b75f7fdce7

Download Submit
\Users\Admin\AppData\Local\Temp\CA09E7~1.DLL
MD5
0c94c0b1789269a7e8b12e9353f7f56b

SHA1
1cf7f75a1ddf085b0d33335329ec21a901bfe7e2

SHA256
cdce43f21a643c35c61f3fe760ab8f6aec28744f11a8bd3cb36b43cad1244b04

SHA512
c99aa83794cdd101bc6ad453c3294673f6e658b8a5876994218edd226680b9e21db3d5872c5abff65293d840c7befd0cd03b742398a11093fad9e5b75f7fdce7

Download Submit
\Users\Admin\AppData\Local\Temp\CA09E7~1.DLL
MD5
0c94c0b1789269a7e8b12e9353f7f56b

SHA1
1cf7f75a1ddf085b0d33335329ec21a901bfe7e2

SHA256
cdce43f21a643c35c61f3fe760ab8f6aec28744f11a8bd3cb36b43cad1244b04

SHA512
c99aa83794cdd101bc6ad453c3294673f6e658b8a5876994218edd226680b9e21db3d5872c5abff65293d840c7befd0cd03b742398a11093fad9e5b75f7fdce7

Download Submit
memory/3348-115-0x00000000011B0000-0x0000000001356000-memory.dmp

Filesize
1.6MB

Download
memory/3348-114-0x0000000001020000-0x00000000011B0000-memory.dmp

Filesize
1.6MB

Download
memory/3348-116-0x0000000000400000-0x00000000009C3000-memory.dmp

Filesize
5.8MB

Download
memory/4032-117-0x0000000000000000-mapping.dmp

Download
memory/4032-121-0x0000000004150000-0x00000000043CC000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing