danabot | 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86

General

Target

17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe
Size

1.8MB
MD5

cb22039f60d3a5edb829a1983ca19b96
SHA1

f85c805b015cb885021436e406e14b6c936d1c26
SHA256

17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86
SHA512

c0787124e7131f54064cc8a9a1d9fbafdc1e92cd7ac15defcbb45492801d04d3fa9d4d1b8c0b7550500bc9b154b3b479e66bfa79a1425654ba8fc410c87bf08b

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL	DanabotLoader2021
behavioral1/memory/4412-122-0x0000000004350000-0x00000000045CC000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4416 created 3828 4416 WerFault.exe 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4412 rundll32.exe
4412 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4416 3828 WerFault.exe 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe

description	pid	process	target process
PID 4416 created 3828	4416	WerFault.exe	17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe

pid	process
4412	rundll32.exe
4412	rundll32.exe

pid	pid_target	process	target process
4416	3828	WerFault.exe	17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe
4416	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4416 WerFault.exe
Token: SeBackupPrivilege 4416 WerFault.exe
Token: SeDebugPrivilege 4416 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4416	WerFault.exe
Token: SeBackupPrivilege	4416	WerFault.exe
Token: SeDebugPrivilege	4416	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe

description	pid	process	target process
PID 3828 wrote to memory of 4412	3828	17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe	rundll32.exe
PID 3828 wrote to memory of 4412	3828	17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe	rundll32.exe
PID 3828 wrote to memory of 4412	3828	17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe
"C:\Users\Admin\AppData\Local\Temp\17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL,s C:\Users\Admin\AppData\Local\Temp\17B7E6~1.EXE
2⤵
- Loads dropped DLL
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 576
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL
MD5
4d6fbcf6898688fb228f2f1262ed35a0

SHA1
bdc4a5a8169f12b432ab5596e17c2772f975d7cf

SHA256
c48af33b0db0104731dbc28027e99c66f25d35e9e6b161045e13149b538c99c1

SHA512
46a162d48233ef93b99adecb4b32235b6b5439a888868ba93b764b00f0d8de88d925363c0deb9321138d857ca7413c4294ea29b1e6159866fc2200b0ead07751

Download Submit
\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL
MD5
4d6fbcf6898688fb228f2f1262ed35a0

SHA1
bdc4a5a8169f12b432ab5596e17c2772f975d7cf

SHA256
c48af33b0db0104731dbc28027e99c66f25d35e9e6b161045e13149b538c99c1

SHA512
46a162d48233ef93b99adecb4b32235b6b5439a888868ba93b764b00f0d8de88d925363c0deb9321138d857ca7413c4294ea29b1e6159866fc2200b0ead07751

Download Submit
\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL
MD5
4d6fbcf6898688fb228f2f1262ed35a0

SHA1
bdc4a5a8169f12b432ab5596e17c2772f975d7cf

SHA256
c48af33b0db0104731dbc28027e99c66f25d35e9e6b161045e13149b538c99c1

SHA512
46a162d48233ef93b99adecb4b32235b6b5439a888868ba93b764b00f0d8de88d925363c0deb9321138d857ca7413c4294ea29b1e6159866fc2200b0ead07751

Download Submit
memory/3828-115-0x0000000000A4D000-0x0000000000BDC000-memory.dmp

Filesize
1.6MB

Download
memory/3828-117-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download
memory/3828-116-0x0000000000BE0000-0x0000000000D85000-memory.dmp

Filesize
1.6MB

Download
memory/4412-118-0x0000000000000000-mapping.dmp

Download
memory/4412-122-0x0000000004350000-0x00000000045CC000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads