danabot | 41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690

General

Target

41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe
Size

1.8MB
MD5

9730790ac74d2cb52f6c378d532acec6
SHA1

83dff400e598997f10f77e867bc16019fd150799
SHA256

41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690
SHA512

9c1fb4d54f8782665e1ad9e604c424910b213455177da113304074f9cbb923688fcd75113b9d83d1019729df635ac7f5c7c535a30242bc97f2da888415097f11

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\41CCCC~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\41CCCC~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1204 created 2052 1204 WerFault.exe 41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2448 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1204 2052 WerFault.exe 41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe

description	pid	process	target process
PID 1204 created 2052	1204	WerFault.exe	41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe

pid	process
2448	rundll32.exe

pid	pid_target	process	target process
1204	2052	WerFault.exe	41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1204 WerFault.exe
Token: SeBackupPrivilege 1204 WerFault.exe
Token: SeDebugPrivilege 1204 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1204	WerFault.exe
Token: SeBackupPrivilege	1204	WerFault.exe
Token: SeDebugPrivilege	1204	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe

description	pid	process	target process
PID 2052 wrote to memory of 2448	2052	41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe	rundll32.exe
PID 2052 wrote to memory of 2448	2052	41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe	rundll32.exe
PID 2052 wrote to memory of 2448	2052	41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe
"C:\Users\Admin\AppData\Local\Temp\41cccc3e600c2e17f48be777c6803bc54cd33c5f2afbcba75c79e40e786df690.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\41CCCC~1.DLL,s C:\Users\Admin\AppData\Local\Temp\41CCCC~1.EXE
2⤵
- Loads dropped DLL
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 556
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41CCCC~1.DLL
MD5
b10ec3ff5c42b9373713f5af17987f05

SHA1
a9eebff4026467f21f27875e7d42f6f892fba1c6

SHA256
efc3062766a7a3e8370940d634b9b266c78c84ad987371bf14bca3c6fd71c4d2

SHA512
37e21c4d105730a011f5548d9d63ea8c23926c14d27feb60064fcafb4b0d326f42098f577c069b41d853fb63d46287f5b13d0afd32047e1e088e0ab26d020491

Download Submit
\Users\Admin\AppData\Local\Temp\41CCCC~1.DLL
MD5
b10ec3ff5c42b9373713f5af17987f05

SHA1
a9eebff4026467f21f27875e7d42f6f892fba1c6

SHA256
efc3062766a7a3e8370940d634b9b266c78c84ad987371bf14bca3c6fd71c4d2

SHA512
37e21c4d105730a011f5548d9d63ea8c23926c14d27feb60064fcafb4b0d326f42098f577c069b41d853fb63d46287f5b13d0afd32047e1e088e0ab26d020491

Download Submit
memory/2052-115-0x0000000000946000-0x0000000000AD6000-memory.dmp

Filesize
1.6MB

Download
memory/2052-116-0x0000000000AE0000-0x0000000000C87000-memory.dmp

Filesize
1.7MB

Download
memory/2052-117-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/2448-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads