danabot | 52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc

General

Target

52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe
Size

1.8MB
MD5

cb1e719b862e720d87e0382c52159efd
SHA1

968dc2cfec4b127b4d3303db08abc2b163b6b83f
SHA256

52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc
SHA512

499fdefd110132e504ad77a3448f88384e6432b9612d2acbbc8c08bd3bc2e6ccf2d39d9fad4de6c11ab7f4d18fac0b5ebfe98a5f050b9960a91be7ba973cbd7c

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\52E733~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\52E733~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\52E733~1.DLL	DanabotLoader2021
behavioral1/memory/2872-122-0x0000000000B71000-0x0000000000D96000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1140 created 1964 1140 WerFault.exe 52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2872 rundll32.exe
2872 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1140 1964 WerFault.exe 52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe

description	pid	process	target process
PID 1140 created 1964	1140	WerFault.exe	52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe

pid	process
2872	rundll32.exe
2872	rundll32.exe

pid	pid_target	process	target process
1140	1964	WerFault.exe	52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1140 WerFault.exe
Token: SeBackupPrivilege 1140 WerFault.exe
Token: SeDebugPrivilege 1140 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1140	WerFault.exe
Token: SeBackupPrivilege	1140	WerFault.exe
Token: SeDebugPrivilege	1140	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe

description	pid	process	target process
PID 1964 wrote to memory of 2872	1964	52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe	rundll32.exe
PID 1964 wrote to memory of 2872	1964	52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe	rundll32.exe
PID 1964 wrote to memory of 2872	1964	52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe
"C:\Users\Admin\AppData\Local\Temp\52e7331a12483723eba706c51596a54c2a93231d67c7ce7b62893324c9ddabfc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\52E733~1.DLL,s C:\Users\Admin\AppData\Local\Temp\52E733~1.EXE
2⤵
- Loads dropped DLL
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 552
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52E733~1.DLL
MD5
fb491670dbbe4538dd3d3edf87dceb90

SHA1
c21f0a33476a0e092a32df266107c33563dbeb95

SHA256
b67c4fd840f23ffe11f0a6260efda8efd711cf11d02ef80ca1b29ceba1bbff0a

SHA512
ddbd8d6b49cdcbde6a31ba6ad759230f6a9bdd42b8847696545d3aba3a7457c64154c3f502e2440812101da3223ead1b0da62541f37c8e44a1c254babd57c80e

Download Submit
\Users\Admin\AppData\Local\Temp\52E733~1.DLL
MD5
fb491670dbbe4538dd3d3edf87dceb90

SHA1
c21f0a33476a0e092a32df266107c33563dbeb95

SHA256
b67c4fd840f23ffe11f0a6260efda8efd711cf11d02ef80ca1b29ceba1bbff0a

SHA512
ddbd8d6b49cdcbde6a31ba6ad759230f6a9bdd42b8847696545d3aba3a7457c64154c3f502e2440812101da3223ead1b0da62541f37c8e44a1c254babd57c80e

Download Submit
\Users\Admin\AppData\Local\Temp\52E733~1.DLL
MD5
fb491670dbbe4538dd3d3edf87dceb90

SHA1
c21f0a33476a0e092a32df266107c33563dbeb95

SHA256
b67c4fd840f23ffe11f0a6260efda8efd711cf11d02ef80ca1b29ceba1bbff0a

SHA512
ddbd8d6b49cdcbde6a31ba6ad759230f6a9bdd42b8847696545d3aba3a7457c64154c3f502e2440812101da3223ead1b0da62541f37c8e44a1c254babd57c80e

Download Submit
memory/1964-115-0x00000000007EE000-0x000000000097D000-memory.dmp

Filesize
1.6MB

Download
memory/1964-117-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/1964-116-0x0000000000A80000-0x0000000000C25000-memory.dmp

Filesize
1.6MB

Download
memory/2872-118-0x0000000000000000-mapping.dmp

Download
memory/2872-122-0x0000000000B71000-0x0000000000D96000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads