danabot | 8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8

General

Target

8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe
Size

1.8MB
MD5

deb63387447b6e670752bac1572b3725
SHA1

3cbda685a958fc5e85434c5280226af949567286
SHA256

8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8
SHA512

01cc5478137c08a1b0fe5fac6a183400d907edbbe178fb30fe9d387c9954fe7f5b4536e7e84282e658d015ae922f5570f82f9c38f437b19d780cc6ca3bc38f9f

Score

10^/10

danabot 4 banker trojan

Malware Config

Extracted

Family

danabot

Botnet

4

C2

142.11.244.223:443

192.236.194.72:443

Attributes

embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8AD23F~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8AD23F~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\8AD23F~1.DLL	DanabotLoader2021
behavioral1/memory/3584-122-0x0000000004270000-0x00000000044EC000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 488 created 2832 488 WerFault.exe 8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3584 rundll32.exe
3584 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

488 2832 WerFault.exe 8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe

description	pid	process	target process
PID 488 created 2832	488	WerFault.exe	8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe

pid	process
3584	rundll32.exe
3584	rundll32.exe

pid	pid_target	process	target process
488	2832	WerFault.exe	8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 488 WerFault.exe
Token: SeBackupPrivilege 488 WerFault.exe
Token: SeDebugPrivilege 488 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	488	WerFault.exe
Token: SeBackupPrivilege	488	WerFault.exe
Token: SeDebugPrivilege	488	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe

description	pid	process	target process
PID 2832 wrote to memory of 3584	2832	8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe	rundll32.exe
PID 2832 wrote to memory of 3584	2832	8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe	rundll32.exe
PID 2832 wrote to memory of 3584	2832	8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe
"C:\Users\Admin\AppData\Local\Temp\8ad23fa861aa23f63d117137e81ace81ab26fffec75014bb7978a9f30d0ed1e8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8AD23F~1.DLL,s C:\Users\Admin\AppData\Local\Temp\8AD23F~1.EXE
2⤵
- Loads dropped DLL
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 560
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8AD23F~1.DLL
MD5
230926523710cb6d094f1edf342b5fc1

SHA1
ec826b2e3a01f4b1655dc241315ca4cc94640178

SHA256
d8eaa7e4da1fe46c359a8100a2914bbc4336966871336499594dbfd777141eec

SHA512
bb04290d9f9ba3309014966b7674ee6d730b59eefd1877b28e3d78ad0d1f824bd5e1174fe02da28dd719cc4a5b0cd876da095fecbbf6f91376ee4770b63a1174

Download Submit
\Users\Admin\AppData\Local\Temp\8AD23F~1.DLL
MD5
230926523710cb6d094f1edf342b5fc1

SHA1
ec826b2e3a01f4b1655dc241315ca4cc94640178

SHA256
d8eaa7e4da1fe46c359a8100a2914bbc4336966871336499594dbfd777141eec

SHA512
bb04290d9f9ba3309014966b7674ee6d730b59eefd1877b28e3d78ad0d1f824bd5e1174fe02da28dd719cc4a5b0cd876da095fecbbf6f91376ee4770b63a1174

Download Submit
\Users\Admin\AppData\Local\Temp\8AD23F~1.DLL
MD5
230926523710cb6d094f1edf342b5fc1

SHA1
ec826b2e3a01f4b1655dc241315ca4cc94640178

SHA256
d8eaa7e4da1fe46c359a8100a2914bbc4336966871336499594dbfd777141eec

SHA512
bb04290d9f9ba3309014966b7674ee6d730b59eefd1877b28e3d78ad0d1f824bd5e1174fe02da28dd719cc4a5b0cd876da095fecbbf6f91376ee4770b63a1174

Download Submit
memory/2832-115-0x00000000009A3000-0x0000000000B32000-memory.dmp

Filesize
1.6MB

Download
memory/2832-117-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2832-116-0x0000000000B40000-0x0000000000CE5000-memory.dmp

Filesize
1.6MB

Download
memory/3584-118-0x0000000000000000-mapping.dmp

Download
memory/3584-122-0x0000000004270000-0x00000000044EC000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads