danabot | 8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e

General

Target

8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe
Size

1.9MB
MD5

5671fa693a4cc5de59ad3bc915150d04
SHA1

28a8c9a2a1226b5d7aedef9065d9ddc310b1f33e
SHA256

8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e
SHA512

fbe4ec24244b5005272df627580b51f2df9895c0b368de7f6d91e080d011f4139866a556cc74efebb9f8d44ad354e87bda12ebe08072a60ab09428f6dc6587a2

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8B6A75~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8B6A75~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2704 created 2860 2704 WerFault.exe 8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2080 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2704 2860 WerFault.exe 8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe

description	pid	process	target process
PID 2704 created 2860	2704	WerFault.exe	8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe

pid	process
2080	rundll32.exe

pid	pid_target	process	target process
2704	2860	WerFault.exe	8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2704 WerFault.exe
Token: SeBackupPrivilege 2704 WerFault.exe
Token: SeDebugPrivilege 2704 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2704	WerFault.exe
Token: SeBackupPrivilege	2704	WerFault.exe
Token: SeDebugPrivilege	2704	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe

description	pid	process	target process
PID 2860 wrote to memory of 2080	2860	8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe	rundll32.exe
PID 2860 wrote to memory of 2080	2860	8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe	rundll32.exe
PID 2860 wrote to memory of 2080	2860	8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe
"C:\Users\Admin\AppData\Local\Temp\8b6a756e9770c6d6a1ce8b290920b05e9854a9cc43baa40de4cdb7b5dc62d62e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8B6A75~1.DLL,s C:\Users\Admin\AppData\Local\Temp\8B6A75~1.EXE
2⤵
- Loads dropped DLL
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 580
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B6A75~1.DLL
MD5
09a2ae26ef51dd650d7c40b393e0e10f

SHA1
8af7a92e76af483c5ad8da20de268fdd069bfc20

SHA256
7ee81964725f63d9d456ea8a758514c8f810bf2f14ddf6750672869c14b8ad79

SHA512
438b6be03d39bba9a23f906ccedbb08a01bd4ae9eed7e6745de3e33804840cb72dac5935371251ab167515781ba9ec8410a3a9019588f13fbd0657bc41914598

Download Submit
\Users\Admin\AppData\Local\Temp\8B6A75~1.DLL
MD5
09a2ae26ef51dd650d7c40b393e0e10f

SHA1
8af7a92e76af483c5ad8da20de268fdd069bfc20

SHA256
7ee81964725f63d9d456ea8a758514c8f810bf2f14ddf6750672869c14b8ad79

SHA512
438b6be03d39bba9a23f906ccedbb08a01bd4ae9eed7e6745de3e33804840cb72dac5935371251ab167515781ba9ec8410a3a9019588f13fbd0657bc41914598

Download Submit
memory/2080-118-0x0000000000000000-mapping.dmp

Download
memory/2860-115-0x000000000121E000-0x00000000013AC000-memory.dmp

Filesize
1.6MB

Download
memory/2860-116-0x00000000013B0000-0x0000000001554000-memory.dmp

Filesize
1.6MB

Download
memory/2860-117-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads