Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    31-12-2021 22:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e8044305c52c8ed72dff87aaa76b6ecb6264f00e7d1030af9f4b6954aa719d0.exe

  • Size

    1.8MB

  • MD5

    a4972219946625bfc86a9d0d93cfcdc4

  • SHA1

    4eac439c6a4f756fe90e8adbd078c2527385e22e

  • SHA256

    3e8044305c52c8ed72dff87aaa76b6ecb6264f00e7d1030af9f4b6954aa719d0

  • SHA512

    ecd937e403e789b9f7fa40adcaebfa8ebaed00e1c1a86d2785e05c6515f96794843adda6e3995ae7a6329b2de19de59d24ec95971c3a789e51810bd329fb3e05

Score
10/10
danabot4bankertrojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443
Attributes
  • embedded_hash

    0FA95F120D6EB149A5D48E36BC76879D

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Danabot Loader Component 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e8044305c52c8ed72dff87aaa76b6ecb6264f00e7d1030af9f4b6954aa719d0.exe
    "C:\Users\Admin\AppData\Local\Temp\3e8044305c52c8ed72dff87aaa76b6ecb6264f00e7d1030af9f4b6954aa719d0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3E8044~1.DLL,s C:\Users\Admin\AppData\Local\Temp\3E8044~1.EXE
      2⤵
      • Loads dropped DLL
      PID:1140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 556
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3E8044~1.DLL
    MD5

    488a68e535f66bb5af7fc4edb5c3064a

    SHA1

    bbd7dba124257107ec2a0e2fe4fe7ded72491342

    SHA256

    95e7c3b535bf7c47da10da4a1b0d6b4f6ea7f12ea927bfb47d94dd5bce24c06b

    SHA512

    276fbb1eafa569ec11a80bc6cb21e2d654fee6279184ddc7400c3a88b10127a55b3bdd57b19de4d7435c01f944bedb12949ca6486819aa5004185a6dd324f588

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3E8044~1.DLL
    MD5

    488a68e535f66bb5af7fc4edb5c3064a

    SHA1

    bbd7dba124257107ec2a0e2fe4fe7ded72491342

    SHA256

    95e7c3b535bf7c47da10da4a1b0d6b4f6ea7f12ea927bfb47d94dd5bce24c06b

    SHA512

    276fbb1eafa569ec11a80bc6cb21e2d654fee6279184ddc7400c3a88b10127a55b3bdd57b19de4d7435c01f944bedb12949ca6486819aa5004185a6dd324f588

    Download Submit
  • memory/1140-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3808-115-0x0000000000DEF000-0x0000000000F7E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3808-117-0x0000000000400000-0x0000000000902000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3808-116-0x0000000000F80000-0x0000000001125000-memory.dmp
    Filesize

    1.6MB

    Download