danabot | 8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33

General

Target

8e33169905bd13e9036657eb3146d2ec.exe
Size

1.8MB
MD5

8e33169905bd13e9036657eb3146d2ec
SHA1

e4626a48869d18ad4ad4a20edd7a60fa961dc0a1
SHA256

8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33
SHA512

308cad35cdf485f90ff20fb8f4d831cad48328351e30aa6e274ddcb2ceabeb5dc6432fa44d1f8dd77709d9bd3e93edb70c69f9f12fefcb80fe82ad3a080e53b7

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8E3316~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL	DanabotLoader2021
behavioral1/memory/560-66-0x0000000001C70000-0x0000000001EEC000-memory.dmp	DanabotLoader2021

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

560 rundll32.exe
560 rundll32.exe
560 rundll32.exe
560 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1096 1580 WerFault.exe 8e33169905bd13e9036657eb3146d2ec.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1096 WerFault.exe
1096 WerFault.exe
1096 WerFault.exe
1096 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1096 WerFault.exe

pid	process
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe

pid	pid_target	process	target process
1096	1580	WerFault.exe	8e33169905bd13e9036657eb3146d2ec.exe

pid	process
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1096	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8e33169905bd13e9036657eb3146d2ec.exe

description	pid	process	target process
PID 1580 wrote to memory of 560	1580	8e33169905bd13e9036657eb3146d2ec.exe	rundll32.exe
PID 1580 wrote to memory of 560	1580	8e33169905bd13e9036657eb3146d2ec.exe	rundll32.exe
PID 1580 wrote to memory of 560	1580	8e33169905bd13e9036657eb3146d2ec.exe	rundll32.exe
PID 1580 wrote to memory of 560	1580	8e33169905bd13e9036657eb3146d2ec.exe	rundll32.exe
PID 1580 wrote to memory of 560	1580	8e33169905bd13e9036657eb3146d2ec.exe	rundll32.exe
PID 1580 wrote to memory of 560	1580	8e33169905bd13e9036657eb3146d2ec.exe	rundll32.exe
PID 1580 wrote to memory of 560	1580	8e33169905bd13e9036657eb3146d2ec.exe	rundll32.exe
PID 1580 wrote to memory of 1096	1580	8e33169905bd13e9036657eb3146d2ec.exe	WerFault.exe
PID 1580 wrote to memory of 1096	1580	8e33169905bd13e9036657eb3146d2ec.exe	WerFault.exe
PID 1580 wrote to memory of 1096	1580	8e33169905bd13e9036657eb3146d2ec.exe	WerFault.exe
PID 1580 wrote to memory of 1096	1580	8e33169905bd13e9036657eb3146d2ec.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8e33169905bd13e9036657eb3146d2ec.exe
"C:\Users\Admin\AppData\Local\Temp\8e33169905bd13e9036657eb3146d2ec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8E3316~1.DLL,s C:\Users\Admin\AppData\Local\Temp\8E3316~1.EXE
2⤵
- Loads dropped DLL
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 208
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8E3316~1.DLL
MD5
eb2f0fa93bc931458d67c89d4fcfce25

SHA1
680d8d9261c2fa5a130ab4d42d71df06fccd04bf

SHA256
612ddc7dbe69aa8222fd4f80e5a77be6ef836861af91752b7056e5e6b59fb61a

SHA512
3c6adead7456f90b84a7e7c5aa615589491b4c2808a1402b2f527ba769412f93bae73e3ccadaf8b4df96bcd7b1100a0972705b5612da4313edc5afd4ae184be8

Download Submit
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL
MD5
eb2f0fa93bc931458d67c89d4fcfce25

SHA1
680d8d9261c2fa5a130ab4d42d71df06fccd04bf

SHA256
612ddc7dbe69aa8222fd4f80e5a77be6ef836861af91752b7056e5e6b59fb61a

SHA512
3c6adead7456f90b84a7e7c5aa615589491b4c2808a1402b2f527ba769412f93bae73e3ccadaf8b4df96bcd7b1100a0972705b5612da4313edc5afd4ae184be8

Download Submit
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL
MD5
eb2f0fa93bc931458d67c89d4fcfce25

SHA1
680d8d9261c2fa5a130ab4d42d71df06fccd04bf

SHA256
612ddc7dbe69aa8222fd4f80e5a77be6ef836861af91752b7056e5e6b59fb61a

SHA512
3c6adead7456f90b84a7e7c5aa615589491b4c2808a1402b2f527ba769412f93bae73e3ccadaf8b4df96bcd7b1100a0972705b5612da4313edc5afd4ae184be8

Download Submit
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL
MD5
eb2f0fa93bc931458d67c89d4fcfce25

SHA1
680d8d9261c2fa5a130ab4d42d71df06fccd04bf

SHA256
612ddc7dbe69aa8222fd4f80e5a77be6ef836861af91752b7056e5e6b59fb61a

SHA512
3c6adead7456f90b84a7e7c5aa615589491b4c2808a1402b2f527ba769412f93bae73e3ccadaf8b4df96bcd7b1100a0972705b5612da4313edc5afd4ae184be8

Download Submit
\Users\Admin\AppData\Local\Temp\8E3316~1.DLL
MD5
eb2f0fa93bc931458d67c89d4fcfce25

SHA1
680d8d9261c2fa5a130ab4d42d71df06fccd04bf

SHA256
612ddc7dbe69aa8222fd4f80e5a77be6ef836861af91752b7056e5e6b59fb61a

SHA512
3c6adead7456f90b84a7e7c5aa615589491b4c2808a1402b2f527ba769412f93bae73e3ccadaf8b4df96bcd7b1100a0972705b5612da4313edc5afd4ae184be8

Download Submit
memory/560-59-0x0000000000000000-mapping.dmp

Download
memory/560-66-0x0000000001C70000-0x0000000001EEC000-memory.dmp

Filesize
2.5MB

Download
memory/1096-67-0x0000000000000000-mapping.dmp

Download
memory/1096-69-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1580-58-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/1580-57-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/1580-56-0x00000000009C0000-0x0000000000B65000-memory.dmp

Filesize
1.6MB

Download
memory/1580-55-0x0000000000830000-0x00000000009BF000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing