danabot | 8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33

General

Target

8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe
Size

1.8MB
MD5

8e33169905bd13e9036657eb3146d2ec
SHA1

e4626a48869d18ad4ad4a20edd7a60fa961dc0a1
SHA256

8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33
SHA512

308cad35cdf485f90ff20fb8f4d831cad48328351e30aa6e274ddcb2ceabeb5dc6432fa44d1f8dd77709d9bd3e93edb70c69f9f12fefcb80fe82ad3a080e53b7

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8D72A6~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8D72A6~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1096 created 600 1096 WerFault.exe 8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3008 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1096 600 WerFault.exe 8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe

description	pid	process	target process
PID 1096 created 600	1096	WerFault.exe	8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe

pid	process
3008	rundll32.exe

pid	pid_target	process	target process
1096	600	WerFault.exe	8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1096 WerFault.exe
Token: SeBackupPrivilege 1096 WerFault.exe
Token: SeDebugPrivilege 1096 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1096	WerFault.exe
Token: SeBackupPrivilege	1096	WerFault.exe
Token: SeDebugPrivilege	1096	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe

description	pid	process	target process
PID 600 wrote to memory of 3008	600	8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe	rundll32.exe
PID 600 wrote to memory of 3008	600	8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe	rundll32.exe
PID 600 wrote to memory of 3008	600	8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe
"C:\Users\Admin\AppData\Local\Temp\8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8D72A6~1.DLL,s C:\Users\Admin\AppData\Local\Temp\8D72A6~1.EXE
2⤵
- Loads dropped DLL
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 544
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8D72A6~1.DLL
MD5
51ba11d815888350e4f68aacb5fec1f1

SHA1
47f0383c1145e34dfeff6f1609807b82ad830c03

SHA256
b14e9cc30689da2429ca5805f2859a3aaec6acea136847d9decd04b32ec08883

SHA512
d76f0c8882de15bab5817e94f22cadb8388500f7d6a690c5c0d2a9b7cd731181ef5da77de1d0fbd721e386eb63f2017879250a09b9c928c15783f17efc1dd76c

Download Submit
\Users\Admin\AppData\Local\Temp\8D72A6~1.DLL
MD5
51ba11d815888350e4f68aacb5fec1f1

SHA1
47f0383c1145e34dfeff6f1609807b82ad830c03

SHA256
b14e9cc30689da2429ca5805f2859a3aaec6acea136847d9decd04b32ec08883

SHA512
d76f0c8882de15bab5817e94f22cadb8388500f7d6a690c5c0d2a9b7cd731181ef5da77de1d0fbd721e386eb63f2017879250a09b9c928c15783f17efc1dd76c

Download Submit
memory/600-115-0x00000000008F2000-0x0000000000A81000-memory.dmp

Filesize
1.6MB

Download
memory/600-117-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/600-116-0x0000000000A90000-0x0000000000C35000-memory.dmp

Filesize
1.6MB

Download
memory/3008-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads