danabot | ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853

General

Target

ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe
Size

1.8MB
MD5

cd8efee431f89a137c6342618280431f
SHA1

d1ab5e7e235361b99c42dddfb4a82d808530197a
SHA256

ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853
SHA512

d3caa40e13b029cec3de30ac9814fb376c4fa8e05b3c4ca6533445cdb5e8f8edc500587fd9a6ba4f1860b3a28b05aba70c8361593d579df3c935cb5efea6dcd1

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1532 created 2132 1532 WerFault.exe ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3420 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1532 2132 WerFault.exe ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe

description	pid	process	target process
PID 1532 created 2132	1532	WerFault.exe	ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe

pid	process
3420	rundll32.exe

pid	pid_target	process	target process
1532	2132	WerFault.exe	ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1532 WerFault.exe
Token: SeBackupPrivilege 1532 WerFault.exe
Token: SeDebugPrivilege 1532 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1532	WerFault.exe
Token: SeBackupPrivilege	1532	WerFault.exe
Token: SeDebugPrivilege	1532	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe

description	pid	process	target process
PID 2132 wrote to memory of 3420	2132	ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe	rundll32.exe
PID 2132 wrote to memory of 3420	2132	ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe	rundll32.exe
PID 2132 wrote to memory of 3420	2132	ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe
"C:\Users\Admin\AppData\Local\Temp\ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AB5E68~1.DLL,s C:\Users\Admin\AppData\Local\Temp\AB5E68~1.EXE
2⤵
- Loads dropped DLL
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 576
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB5E68~1.DLL
MD5
9b1c0303078b2545b3f5387527d25f5e

SHA1
8fe0ac0417dca01f0156b70f4dc25adb508e31d5

SHA256
8d9c7c90e14eaeb49389f2faf69f9225c1d5139b3b03e32d622237f5b96dd34c

SHA512
1028f5f383e29090244714e0874c3a11c69674e7352ca2b8073eea807ad85802becf68ddc2096416cf68fc8d6654c9cb2a3b52d7035a8173b54964525d563ed0

Download Submit
\Users\Admin\AppData\Local\Temp\AB5E68~1.DLL
MD5
9b1c0303078b2545b3f5387527d25f5e

SHA1
8fe0ac0417dca01f0156b70f4dc25adb508e31d5

SHA256
8d9c7c90e14eaeb49389f2faf69f9225c1d5139b3b03e32d622237f5b96dd34c

SHA512
1028f5f383e29090244714e0874c3a11c69674e7352ca2b8073eea807ad85802becf68ddc2096416cf68fc8d6654c9cb2a3b52d7035a8173b54964525d563ed0

Download Submit
memory/2132-115-0x0000000001250000-0x00000000013DF000-memory.dmp

Filesize
1.6MB

Download
memory/2132-116-0x00000000013E0000-0x0000000001585000-memory.dmp

Filesize
1.6MB

Download
memory/2132-117-0x0000000000400000-0x0000000000D9A000-memory.dmp

Filesize
9.6MB

Download
memory/3420-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing