danabot | de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21

General

Target

de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe
Size

1.8MB
MD5

50e1f771b5024ddc9c8bac99c94a3107
SHA1

234ac8b43f46101ec5b2e918f4ee0a31bd415b03
SHA256

de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21
SHA512

46a08c88b81411a1069587ca2c5311db3b3e5c7a7025fe92897e505a6f7304c532612b1dd9a1b98138cae9116957ead448b6fc04b1899e6ecc9804722a3da197

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DE32C7~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DE32C7~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1268 created 2444 1268 WerFault.exe de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3384 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1268 2444 WerFault.exe de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe

description	pid	process	target process
PID 1268 created 2444	1268	WerFault.exe	de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe

pid	process
3384	rundll32.exe

pid	pid_target	process	target process
1268	2444	WerFault.exe	de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe
1268	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1268 WerFault.exe
Token: SeBackupPrivilege 1268 WerFault.exe
Token: SeDebugPrivilege 1268 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1268	WerFault.exe
Token: SeBackupPrivilege	1268	WerFault.exe
Token: SeDebugPrivilege	1268	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe

description	pid	process	target process
PID 2444 wrote to memory of 3384	2444	de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe	rundll32.exe
PID 2444 wrote to memory of 3384	2444	de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe	rundll32.exe
PID 2444 wrote to memory of 3384	2444	de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe
"C:\Users\Admin\AppData\Local\Temp\de32c73a7131f8526801ece12b862faaee462e136a2c86a333a480eadf965f21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DE32C7~1.DLL,s C:\Users\Admin\AppData\Local\Temp\DE32C7~1.EXE
2⤵
- Loads dropped DLL
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 548
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DE32C7~1.DLL
MD5
dee54de77f4c8b8209212197ed66238d

SHA1
b7770ebf674eeafc8fd6cc0e50f2033581d393bb

SHA256
4c1a14dca926710262ce9e998fd1bbf84eccbb5607a58df855cfe2ae9b0a191b

SHA512
1b64cee431c51efad333873c92b597b62f01d8d73f20a5f19a2fe3095832ef892581900f45c3068f7ac5d2ac0bf394bd1de6d9d41ed1656b231d2b631ef8b500

Download Submit
\Users\Admin\AppData\Local\Temp\DE32C7~1.DLL
MD5
dee54de77f4c8b8209212197ed66238d

SHA1
b7770ebf674eeafc8fd6cc0e50f2033581d393bb

SHA256
4c1a14dca926710262ce9e998fd1bbf84eccbb5607a58df855cfe2ae9b0a191b

SHA512
1b64cee431c51efad333873c92b597b62f01d8d73f20a5f19a2fe3095832ef892581900f45c3068f7ac5d2ac0bf394bd1de6d9d41ed1656b231d2b631ef8b500

Download Submit
memory/2444-115-0x000000000275A000-0x00000000028EA000-memory.dmp

Filesize
1.6MB

Download
memory/2444-116-0x00000000028F0000-0x0000000002A97000-memory.dmp

Filesize
1.7MB

Download
memory/2444-117-0x0000000000400000-0x0000000002478000-memory.dmp

Filesize
32.5MB

Download
memory/3384-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads